Added module plus encoder for CVE-2012-2329 #487
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I already reviewed and tested the exploit. However, I'm not entirely confident with the encoder, so I'd like to ask HD or James to review that. |
|
first feedback from egypt: nops can be prepended in the encoder to avoid invalid lengths. In this way other people can use it without worrying of length. On the other hand, metadata could be used in the exploit module avoiding manually encoding in exploi()! I'll do the change tomorrow morning (my timezone :)). ==> Done! Waiting for HD or someone else feedabck. I really would like someone more checking it! |
|
|
||
| print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") | ||
|
|
||
| uri = target_uri.path |
There was a problem hiding this comment.
why not just uri = target_uri.to_s ?
|
thanks jlee-r7 for review! changes added in a8a4594 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added module for CVE-2012-2329 PHP CGI apache_request_headers Buffer Overflow.
Tested with PHP-5.4.2 (thread safe version) from windows.php.net and Apache 2.2.22 from Apache Lounge (http://www.apachelounge.com/).
Still no DEP bypass available. Searching for a reliable stackpivot.
This module has needed his own encoder because of the specific badchar "0x5f" (underscore) which makes it incompatible with the available "avoid tolower" encoders in msf.