From 43d730d5642a36754613098e3efb81f2fd4a0003 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 2 May 2012 21:57:41 -0500 Subject: [PATCH] Squashed commit of minor cosmetic fixes: commit eed15ea9ecc88683c8d922fe155d4777a7ce1286 Author: Tod Beardsley Date: Wed May 2 21:55:56 2012 -0500 Whitespace at EOL. Dangit. commit 8159b27728d1a4fd0ad94ff56c4b4f2b995646f8 Author: Tod Beardsley Date: Wed May 2 16:38:01 2012 -0500 Disambiguating 'WebCalendar' --- .../auxiliary/scanner/misc/java_rmi_server.rb | 25 +++++++++---------- .../linux/http/webcalendar_settings_exec.rb | 2 +- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/scanner/misc/java_rmi_server.rb b/modules/auxiliary/scanner/misc/java_rmi_server.rb index cc625bb6ed..214d8e0725 100644 --- a/modules/auxiliary/scanner/misc/java_rmi_server.rb +++ b/modules/auxiliary/scanner/misc/java_rmi_server.rb @@ -39,10 +39,10 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(1099) ], self.class) end - + def setup buf = gen_rmi_loader_packet - + jar = Rex::Text.rand_text_alpha(rand(8)+1) + '.jar' old_url = "file:./rmidummy.jar" new_url = "file:RMIClassLoaderSecurityTest/" + jar @@ -50,13 +50,13 @@ class Metasploit3 < Msf::Auxiliary # Java strings in serialized data are prefixed with a 2-byte, big endian length # (at least, as long as they are shorter than 65536 bytes) find_me = [old_url.length].pack("n") + old_url - + idx = buf.index(find_me) len = [new_url.length].pack("n") - + # Now replace it with the new url buf[idx, find_me.length] = len + new_url - + @pkt = "JRMI" + [2,0x4b,0,0].pack("nCnN") + buf end @@ -70,26 +70,26 @@ class Metasploit3 < Msf::Auxiliary if res and res =~ /^\x4e..([^\x00]+)\x00\x00/ info = $1 - + begin # Determine if the instance allows remote class loading connect sock.put(@pkt) rescue nil - + buf = "" 1.upto(6) do res = sock.get_once(-1, 5) rescue nil break if not res buf << res end - + rescue ::Interrupt raise $! rescue ::Exception ensure disconnect end - + if buf =~ /RMI class loader disabled/ print_status("#{rhost}:#{rport} Java RMI Endpoint Detected: Class Loader Disabled") report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Disabled") @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Auxiliary end end - + def gen_rmi_loader_packet "\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + @@ -132,7 +132,6 @@ class Metasploit3 < Msf::Auxiliary "\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2" + "\xf4\x02\x00\x00\x74\x00\x13\x66\x69\x6c\x65\x3a\x2e\x2f\x72\x6d" + "\x69\x64\x75\x6d\x6d\x79\x2e\x6a\x61\x72\x78\x70\x77\x01\x00\x0a" - end - - + end + end diff --git a/modules/exploits/linux/http/webcalendar_settings_exec.rb b/modules/exploits/linux/http/webcalendar_settings_exec.rb index 1fb54e0b02..a0fdb0a69e 100644 --- a/modules/exploits/linux/http/webcalendar_settings_exec.rb +++ b/modules/exploits/linux/http/webcalendar_settings_exec.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection", 'Description' => %q{ - This modules exploits a vulnerability found in WebCalendar, version 1.2.4 or + This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data.