Squashed commit of minor cosmetic fixes:
commit eed15ea9ecc88683c8d922fe155d4777a7ce1286
Author: Tod Beardsley <todb@metasploit.com>
Date: Wed May 2 21:55:56 2012 -0500
Whitespace at EOL. Dangit.
commit 8159b27728d1a4fd0ad94ff56c4b4f2b995646f8
Author: Tod Beardsley <todb@metasploit.com>
Date: Wed May 2 16:38:01 2012 -0500
Disambiguating 'WebCalendar'
This commit is contained in:
Tod Beardsley
parent
dd7bc23d16
commit
43d730d564
|
|
@ -39,10 +39,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
Opt::RPORT(1099)
|
Opt::RPORT(1099)
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
def setup
|
def setup
|
||||||
buf = gen_rmi_loader_packet
|
buf = gen_rmi_loader_packet
|
||||||
|
|
||||||
jar = Rex::Text.rand_text_alpha(rand(8)+1) + '.jar'
|
jar = Rex::Text.rand_text_alpha(rand(8)+1) + '.jar'
|
||||||
old_url = "file:./rmidummy.jar"
|
old_url = "file:./rmidummy.jar"
|
||||||
new_url = "file:RMIClassLoaderSecurityTest/" + jar
|
new_url = "file:RMIClassLoaderSecurityTest/" + jar
|
||||||
|
|
@ -50,13 +50,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# Java strings in serialized data are prefixed with a 2-byte, big endian length
|
# Java strings in serialized data are prefixed with a 2-byte, big endian length
|
||||||
# (at least, as long as they are shorter than 65536 bytes)
|
# (at least, as long as they are shorter than 65536 bytes)
|
||||||
find_me = [old_url.length].pack("n") + old_url
|
find_me = [old_url.length].pack("n") + old_url
|
||||||
|
|
||||||
idx = buf.index(find_me)
|
idx = buf.index(find_me)
|
||||||
len = [new_url.length].pack("n")
|
len = [new_url.length].pack("n")
|
||||||
|
|
||||||
# Now replace it with the new url
|
# Now replace it with the new url
|
||||||
buf[idx, find_me.length] = len + new_url
|
buf[idx, find_me.length] = len + new_url
|
||||||
|
|
||||||
@pkt = "JRMI" + [2,0x4b,0,0].pack("nCnN") + buf
|
@pkt = "JRMI" + [2,0x4b,0,0].pack("nCnN") + buf
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -70,26 +70,26 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
if res and res =~ /^\x4e..([^\x00]+)\x00\x00/
|
if res and res =~ /^\x4e..([^\x00]+)\x00\x00/
|
||||||
info = $1
|
info = $1
|
||||||
|
|
||||||
begin
|
begin
|
||||||
# Determine if the instance allows remote class loading
|
# Determine if the instance allows remote class loading
|
||||||
connect
|
connect
|
||||||
sock.put(@pkt) rescue nil
|
sock.put(@pkt) rescue nil
|
||||||
|
|
||||||
buf = ""
|
buf = ""
|
||||||
1.upto(6) do
|
1.upto(6) do
|
||||||
res = sock.get_once(-1, 5) rescue nil
|
res = sock.get_once(-1, 5) rescue nil
|
||||||
break if not res
|
break if not res
|
||||||
buf << res
|
buf << res
|
||||||
end
|
end
|
||||||
|
|
||||||
rescue ::Interrupt
|
rescue ::Interrupt
|
||||||
raise $!
|
raise $!
|
||||||
rescue ::Exception
|
rescue ::Exception
|
||||||
ensure
|
ensure
|
||||||
disconnect
|
disconnect
|
||||||
end
|
end
|
||||||
|
|
||||||
if buf =~ /RMI class loader disabled/
|
if buf =~ /RMI class loader disabled/
|
||||||
print_status("#{rhost}:#{rport} Java RMI Endpoint Detected: Class Loader Disabled")
|
print_status("#{rhost}:#{rport} Java RMI Endpoint Detected: Class Loader Disabled")
|
||||||
report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Disabled")
|
report_service(:host => rhost, :port => rport, :name => "java-rmi", :info => "Class Loader: Disabled")
|
||||||
|
|
@ -120,7 +120,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def gen_rmi_loader_packet
|
def gen_rmi_loader_packet
|
||||||
"\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00" +
|
"\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x02\x00" +
|
||||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
||||||
|
|
@ -132,7 +132,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
"\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2" +
|
"\x52\x4d\x49\x4c\x6f\x61\x64\x65\x72\xa1\x65\x44\xba\x26\xf9\xc2" +
|
||||||
"\xf4\x02\x00\x00\x74\x00\x13\x66\x69\x6c\x65\x3a\x2e\x2f\x72\x6d" +
|
"\xf4\x02\x00\x00\x74\x00\x13\x66\x69\x6c\x65\x3a\x2e\x2f\x72\x6d" +
|
||||||
"\x69\x64\x75\x6d\x6d\x79\x2e\x6a\x61\x72\x78\x70\x77\x01\x00\x0a"
|
"\x69\x64\x75\x6d\x6d\x79\x2e\x6a\x61\x72\x78\x70\x77\x01\x00\x0a"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
|
'Name' => "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This modules exploits a vulnerability found in WebCalendar, version 1.2.4 or
|
This modules exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or
|
||||||
less. If not removed, the settings.php script meant for installation can be
|
less. If not removed, the settings.php script meant for installation can be
|
||||||
update by an attacker, and then inject code in it. This allows arbitrary code
|
update by an attacker, and then inject code in it. This allows arbitrary code
|
||||||
execution as www-data.
|
execution as www-data.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue