Metasploit mailing list archives
PAYLOAD: adduser.rb - Checks on the PASS parameter
From: chris.riley at c22.cc (ChrisJohnRiley)
Date: Fri, 11 Sep 2009 02:05:31 +0200
Hi Guys, I?m trying to implement a few checks in a custom version of the adduser.rb payload (length and password complexity rules on the PASS parameter). Although I?ve the checks are functioning (see DEBUG messages), I can?t seem to get the payload to exit out cleanly and cancel the exploit (Msf::OptionValidateError ???). Currently I?m doing the following (excuse the beginners Ruby) .: <snip> if datastore['PASS'] != '' if datastore['PASS'].length > 14 puts "#\n#[DEBUG] Password is more than 14 characters long\n#" datastore['PASS'] = '' # Regex to match for min 8 chars, Upper, lower, number and special character elsif PASS =~ /\A^.*((?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[\d\W])).*$/ puts "#\n#[DEBUG] Password passes complexity requirements\n#" else puts "#\n#[DEBUG] Password failed complexity\n#" datastore['PASS'] = '' end end </snip> The whole adduser_wmic_regex.rb script is available for download here ? https://sites.google.com/a/c22.cc/storage/home/metasploit Although I?m running this section of code at the start of command_string, it appears to run after the validation routine is already completed on the PASS parameter to make sure it?s present and correct. Even then setting the PASS parameter to an empty string probably isn?t the standard method of handling this. I?m sure that there?s a better way (one that works), or alternatively a separate place altogether I should be implementing these checks. Can anybody point me in the right direction to find a solution ? Thanks, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090911/0e51eac1/attachment.html>
Current thread:
- PAYLOAD: adduser.rb - Checks on the PASS parameter ChrisJohnRiley (Sep 10)
- PAYLOAD: adduser.rb - Checks on the PASS parameter HD Moore (Sep 11)
- PAYLOAD: adduser.rb - Checks on the PASS parameter ChrisJohnRiley (Sep 11)
- PAYLOAD: adduser.rb - Checks on the PASS parameter HD Moore (Sep 11)