CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/hams/steamed.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name'           => 'Steamed Hams',

14
        'Description'    => "but it's a Metasploit Module",

15
        'License'        => MSF_LICENSE,

16
        'Author'         =>  [ 'bcook-r7' ],

17
        'DisclosureDate' => '2018-04-01',

18
        'References'     =>  [['URL', 'https://www.youtube.com/watch?v=mkX3dO6KN54']],

19
        'Platform'       => %w[android apple_ios bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi],

20
        'Arch'           => ARCH_ALL,

21
        'Targets'        => [

22
          [ 'An Unforgettable Luncheon', {

23
            'script' => %q(

24
Q2FzdDogJXllbFvwn6SUXSAlYmx1W/CfmJNdICVncm5b8J+RqfCfjqRdICVncm5b8J+RtV0gJXJl

25
ZFvwn5qSXQpDaGFsbWVyczogV2VsbCwgU2V5bW91ciwgSSBtYWRlIGl0LSBkZXNwaXRlIHlvdXIg

26
ZGlyZWN0aW9ucy4KU2tpbm5lcjogQWguIFN1cGVyaW50ZW5kZW50IENoYWxtZXJzLgpTa2lubmVy

27
OiBXZWxjb21lLgpTa2lubmVyOiBJIGhvcGUgeW91J3JlIHByZXBhcmVkIGZvciBhbiB1bmZvcmdl

28
dHRhYmxlIGx1bmNoZW9uLgpDaGFsbWVyczogWWVhaC4KU2tpbm5lcjogT2gsIGVnYWRzIQpTa2lu

29
bmVyOiBNeSByb2FzdCBpcyBydWluZWQuClNraW5uZXI6IEJ1dCB3aGF0IGlmIEkgd2VyZSB0byBw

30
dXJjaGFzZSBmYXN0IGZvb2QgYW5kIGRpc2d1aXNlIGl0IGFzIG15IG93biBjb29raW5nPwpTa2lu

31
bmVyOiBEZWxpZ2h0ZnVsbHkgZGV2aWxpc2gsIFNleW1vdXIuClNpbmdlcnM6IFNraW5uZXIgd2l0

32
aCBoaXMgY3JhenkgZXhwbGFuYXRpb25zClNpbmdlcnM6IFRoZSBzdXBlcmludGVuZGVudCdzIGdv

33
bm5hIG5lZWQgaGlzIG1lZGljYXRpb24KU2luZ2VyczogV2hlbiBoZSBoZWFycyBTa2lubmVyJ3Mg

34
bGFtZSBleGFnZ2VyYXRpb25zClNpbmdlcnM6IFRoZXJlJ2xsIGJlIHRyb3VibGUgaW4gdG93biB0

35
b25pZ2h0IQpDaGFsbWVyczogU2V5bW91ciEKU2tpbm5lcjogU3VwZXJpbnRlbmRlbnQsIEkgd2Fz

36
IGp1c3QtIHVoLCBqdXN0IHN0cmV0Y2hpbmcgbXkgY2FsdmVzIG9uIHRoZSB3aW5kb3dzaWxsLgpT

37
a2lubmVyOiBJc29tZXRyaWMgZXhlcmNpc2UuClNraW5uZXI6IENhcmUgdG8gam9pbiBtZT8KQ2hh

38
bG1lcnM6IFdoeSBpcyB0aGVyZSBzbW9rZSBjb21pbmcgb3V0IG9mIHlvdXIgb3ZlbiwgU2V5bW91

39
cj8KU2tpbm5lcjogVWgtIE9oLiBUaGF0IGlzbid0IHNtb2tlLgpTa2lubmVyOiBJdCdzIHN0ZWFt

40
LgpTa2lubmVyOiBTdGVhbSBmcm9tIHRoZSBzdGVhbWVkIGNsYW1zIHdlJ3JlIGhhdmluZy4KU2tp

41
bm5lcjogTW1tLiBTdGVhbWVkIGNsYW1zLgpTa2lubmVyOiBTdXBlcmludGVuZGVudCwgSSBob3Bl

42
IHlvdSdyZSByZWFkeSBmb3IgbW91dGh3YXRlcmluZyBoYW1idXJnZXJzLgpDaGFsbWVyczogSSB0

43
aG91Z2h0IHdlIHdlcmUgaGF2aW5nIHN0ZWFtZWQgY2xhbXMuClNraW5uZXI6IEQnb2gsIG5vLgpT

44
a2lubmVyOiBJIHNhaWQgc3RlYW1lZCBoYW1zLgpTa2lubmVyOiBUaGF0J3Mgd2hhdCBJIGNhbGwg

45
aGFtYnVyZ2Vycy4KQ2hhbG1lcnM6IFlvdSBjYWxsIGhhbWJ1cmdlcnMgc3RlYW1lZCBoYW1zPwpT

46
a2lubmVyOiBZZXMuClNraW5uZXI6IEl0J3MgYSByZWdpb25hbCBkaWFsZWN0LgpDaGFsbWVyczog

47
VWgtaHVoLiBVaCwgd2hhdCByZWdpb24/ClNraW5uZXI6IFVoLCB1cHN0YXRlIE5ldyBZb3JrLgpD

48
aGFsbWVyczogUmVhbGx5LgpDaGFsbWVyczogV2VsbCwgSSdtIGZyb20gVXRpY2EsIGFuZCBJJ3Zl

49
IG5ldmVyIGhlYXJkIGFueW9uZSB1c2UgdGhlIHBocmFzZSAic3RlYW1lZCBoYW1zLiIKU2tpbm5l

50
cjogT2gsIG5vdCBpbiBVdGljYS4gTm8uClNraW5uZXI6IEl0J3MgYW4gQWxiYW55IGV4cHJlc3Np

51
b24uCkNoYWxtZXJzOiBJIHNlZS4KQ2hhbG1lcnM6IFlvdSBrbm93LCB0aGVzZSBoYW1idXJnZXJz

52
IGFyZSBxdWl0ZSBzaW1pbGFyIHRvIHRoZSBvbmVzIHRoZXkgaGF2ZSBhdCBLcnVzdHkgQnVyZ2Vy

53
LgpTa2lubmVyOiBPaCwgbm8uClNraW5uZXI6IFBhdGVudGVkIFNraW5uZXIgYnVyZ2Vycy4KU2tp

54
bm5lcjogT2xkIGZhbWlseSByZWNpcGUuCkNoYWxtZXJzOiBGb3Igc3RlYW1lZCBoYW1zLgpTa2lu

55
bmVyOiBZZXMuCkNoYWxtZXJzOiBZZXMuCkNoYWxtZXJzOiBBbmQgeW91IGNhbGwgdGhlbSBzdGVh

56
bWVkIGhhbXMgZGVzcGl0ZSB0aGUgZmFjdCB0aGF0IHRoZXkgYXJlIG9idmlvdXNseSBncmlsbGVk

57
LgpTa2lubmVyOiBZZS0KU2tpbm5lcjogWW91IGtub3csIHRoZS0KU2tpbm5lcjogT25lIHRoaW5n

58
IEkgc2hvdWxkLSAtClNraW5uZXI6IEV4Y3VzZSBtZSBmb3Igb25lIHNlY29uZC4KQ2hhbG1lcnM6

59
IE9mIGNvdXJzZS4KU2tpbm5lcjogV2VsbCwgdGhhdCB3YXMgd29uZGVyZnVsLgpTa2lubmVyOiBB

60
IGdvb2QgdGltZSB3YXMgaGFkIGJ5IGFsbC4KU2tpbm5lcjogSSdtIHBvb3BlZC4KQ2hhbG1lcnM6

61
IFllcy4gSSBzaG91bGQgYmUtCkNoYWxtZXJzOiBHb29kIExvcmQhCkNoYWxtZXJzOiBXaGF0IGlz

62
IGhhcHBlbmluZyBpbiB0aGVyZT8KU2tpbm5lcjogQXVyb3JhIGJvcmVhbGlzLgpDaGFsbWVyczog

63
VWgtIEF1cm9yYSBib3JlYWxpcwpDaGFsbWVyczogYXQgdGhpcyB0aW1lIG9mIHllYXIKQ2hhbG1l

64
cnM6IGF0IHRoaXMgdGltZSBvZiBkYXkKQ2hhbG1lcnM6IGluIHRoaXMgcGFydCBvZiB0aGUgY291

65
bnRyeQpDaGFsbWVyczogbG9jYWxpemVkIGVudGlyZWx5IHdpdGhpbiB5b3VyIGtpdGNoZW4/ClNr

66
aW5uZXI6IFllcy4KQ2hhbG1lcnM6IE1heSBJIHNlZSBpdD8KU2tpbm5lcjogTm8uCk1vdGhlcjog

67
U2V5bW91ciEKTW90aGVyOiBUaGUgaG91c2UgaXMgb24gZmlyZSEKU2tpbm5lcjogTm8sIE1vdGhl

68
ci4gSXQncyBqdXN0IHRoZSBub3J0aGVybiBsaWdodHMuCkNoYWxtZXJzOiBXZWxsLCBTZXltb3Vy

69
LCB5b3UgYXJlIGFuIG9kZCBmZWxsb3cgYnV0IEkgbXVzdCBzYXkgeW91IHN0ZWFtIGEgZ29vZCBo

70
YW0uCk1vdGhlcjogSGVscCEKTW90aGVyOiBIZWxwIQpGaXJldHJ1Y2s6IHdoZWVlcnJycgo=)

71
        } ],

72
        [ 'Legitimate Theater', {

73
          'script' => %q(

74
Q2FzdDogW/Cfpo1dICVibHVb8J+RqPCfmoBdICVncm5b8J+ZiPCfmYnwn5mK8J+OpF0gJWdyblvw

75
n5C18J+PpV0gJXJlZFvwn5mJXSAlYmx1W/CfkJLwn4+lXSAleWVsW/CfmI5dICV5ZWxb8J+Yi10g

76
W/Cfpo3wn5C18J+mjfCfkLVdICVibHVb8J+mjfCfkLXwn5Go8J+QtfCfpo1dCkdvcmlsbGE6IEhl

77
bHAsIHRoZSBodW1hbidzIGFib3V0IHRvIGVzY2FwZSEKVHJveTogR2V0IHlvdXIgcGF3cyBvZmYg

78
bWUsIHlvdSBkaXJ0eSBhcGUhCkdvcmlsbGE6IChnYXNwcykgSGUgY2FuIHRhbGshCk9yYW5ndXRh

79
bnM6IEhlIGNhbiB0YWxrISBIZSBjYW4gdGFsayEKT3Jhbmd1dGFuczogSGUgY2FuIHRhbGshIEhl

80
IGNhbiB0YWxrIQpPcmFuZ3V0YW5zOiBIZSBjYW4gdGFsayEgSGUgY2FuIHRhbGshClRyb3k6IEkg

81
Y2FuIHNpaWlpaWlpaW5nIQpDaGltcCBOdXJzZTogT29oLCBoZWxwIG1lLCBEci4gWmFpdXMhCk9y

82
YW5ndXRhbnM6IERyLiBaYWl1cyEgRHIuIFphaXVzIQpPcmFuZ3V0YW5zOiBEci4gWmFpdXMhIERy

83
LiBaYWl1cyEKT3Jhbmd1dGFuczogRHIuIFphaXVzISBEci4gWmFpdXMhCk9yYW5ndXRhbnM6IE9o

84
LCBEci4gWmFpdXMhCk9yYW5ndXRhbjogRHIuIFphaXVzISBEci4gWmFpdXMhClRyb3k6IFdoYXQn

85
cyB3cm9uZyB3aXRoIG1lPwpaYWl1czogSSB0aGluayB5b3UncmUgY3JhenkuClRyb3k6IFdhbnQg

86
YSBzZWNvbmQgb3Bpbmlvbi4KWmFpdXM6IFlvdSdyZSBhbHNvIGxhenkuCk9yYW5ndXRhbnM6IERy

87
LiBaYWl1cyEgRHIuIFphaXVzIQpPcmFuZ3V0YW5zOiBEci4gWmFpdXMhIERyLiBaYWl1cyEKT3Jh

88
bmd1dGFuczogRHIuIFphaXVzISBEci4gWmFpdXMhCk9yYW5ndXRhbnM6IE9oLCBEci4gWmFpdXMh

89
Ck9yYW5ndXRhbjogRHIuIFphaXVzISBEci4gWmFpdXMhClRyb3k6IENhbiBJIHBsYXkgdGhlIHBp

90
YW5vIGFueW1vcmU/ClphaXVzOiBPZiBjb3Vyc2UgeW91IGNhbi4KVHJveTogV2VsbCwgSSBjb3Vs

91
ZG4ndCBiZWZvcmUuClRyb3k6IChwbGF5cyB0aGUgcGlhbm8pCk9yYW5ndXRhbnM6IERyLiBaYWl1

92
cyEgRHIuIFphaXVzIQpPcmFuZ3V0YW5zOiBEci4gWmFpdXMhIERyLiBaYWl1cyEKT3Jhbmd1dGFu

93
czogRHIuIFphaXVzISBEci4gWmFpdXMhCk9yYW5ndXRhbnM6IE9oLCBEci4gWmFpdXMhCk9yYW5n

94
dXRhbjogRHIuIFphaXVzISBEci4gWmFpdXMhCkJhcnQ6IFRoaXMgcGxheSBoYXMgZXZlcnl0aGlu

95
Zy4KSG9tZXI6IE9oLCBJIGxvdmUgbGVnaXRpbWF0ZSB0aGUtYS10ZXIuClRyb3k6IEkgaGF0ZSBl

96
dmVyeSBhcGUgSSBzZWUKVHJveTogRnJvbSBjaGltcGFuLWEgdG8gY2hpbXBhbi16LApUcm95OiBO

97
bywgeW91J2xsIG5ldmVyIG1ha2UgYSBtb25rZXkgb3V0IG9mIG1lLgpUcm95OiBPaCwgbXkgR29k

98
LCBJIHdhcyB3cm9uZywKVHJveTogSXQgd2FzIEVhcnRoIGFsbCBhbG9uZy4KVHJveTogWW91IGZp

99
bmFsbHkgbWFkZSBhIG1vbmtleS4uLgpBcGVzOiBZZXMgd2UgZmluYWxseSBtYWRlIGEgbW9ua2V5

100
Li4uClRyb3kgYW5kIEFwZXM6IFllcywgeW91IGZpbmFsbHkgbWFkZSBhIG1vbmtleSBvdXQgb2Yg

101
bWUhClRyb3k6IEkgbG92ZSB5b3UsIERyLiBaYWl1cyEK)

102
        } ],

103
        ],

104
        'DefaultTarget'  => 0,

105
      )

106
    )

107
  end

108


109
  def exploit

110
    cast = []

111
    castmap = {}

112
    Base64.decode64(target['script']).each_line do |line|

113
      target, msg = line.split(':').map(&:strip)

114
      if target == 'Cast'

115
        cast = msg.split(' ')

116
        castmap = Hash.new { |hash, key| hash[key] = cast.rotate![-1] }

117
      else

118
        t = datastore['VERBOSE'] ? " #{target}:" : ""

119
        print_line("%bld#{castmap[target]}#{t}%clr #{msg}")

120
        sleep(0.30 * msg.split(' ').length)

121
      end

122
    end

123
  end

124
end

125


126