module

Tincd Post-Authentication Remote TCP Stack Buffer Overflow

Try Surface Command
Back to search
Disclosed
2013-04-22
Created
2018-05-30

Description

This module exploits a stack buffer overflow in Tinc's tincd
service. After authentication, a specially crafted tcp packet (default port 655)
leads to a buffer overflow and allows to execute arbitrary code. This module has
been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7
(windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of
FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works
for all versions A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to
be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd
was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module
it was recommended to the maintainer to start using DEP/ASLR and other protection
mechanisms.

Authors

Tobias Ospelt
Martin Schobert

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/multi/vpn/tincd_bof
    msf exploit(tincd_bof) > show targets
        ...targets...
    msf exploit(tincd_bof) > set TARGET < target-id >
    msf exploit(tincd_bof) > show options
        ...show and set options...
    msf exploit(tincd_bof) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today